BETHESDA, Md. — Marriott International is investigating and addressing a data-security incident involving the Starwood guest-reservation database.
The investigation — spurred by an alert from an internal security tool regarding an attempt to access the Starwood guest-reservation database in the U.S. in September — revealed that there had been unauthorized access to the Starwood network since 2014. The company recently discovered an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest-reservation database.
The company has not finished identifying duplicate information in the database, but believes it contains information on approximately 500-million guests who made a reservation at a Starwood property. Affected properties include those under Starwood legacy brands — W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels — as well as Starwood-branded timeshare properties.
For approximately 327 million of the impacted guests, the compromised information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some, the information also includes payment-card numbers and payment-card expiration dates, which were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment-card numbers and, at this point, Marriott has not been able to rule out the possibility that both were taken.
“We deeply regret this incident happened,” says Arne Sorenson, Marriott’s president and CEO. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned to be better moving forward.”
The company has set up a dedicated website and call centre to answer guest questions regarding the data breach. It has also begun sending emails, on a rolling basis, to affected guests whose email addresses are in the Starwood guest-reservation database. Marriott is also providing guests the option to enroll in WebWatcher free of charge for one year. WebWatcher monitors sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.