Up to 500 million customers of the Marriott hotel chain may have had their personal details compromised in a large-scale data breach, the Telegraph online reports.
The Marriott – the world’s biggest hotel operator – said that an attack on its Starwood room reservation network had resulted in customer details being accessed since 2014.
Beyond sheer scale, the hack is particularly serious due to the nature of the details accessed; up to 327 million of those affected may have had sensitive information stolen such as emails, dates of birth, passport numbers and real addresses.
Credit card information may also have been exposed, says the Marriott, which runs around 6,000 hotels in 127 countries.
In response to the breach, the Information Commissioner’s Office stated:
“We have received a data breach report from Marriott Hotels involving its Starwood Hotels and are making enquiries. We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online.”
Speaking in the Telegraph online, cybersecurity specialist, Joseph Carson said:
“What is shocking about this data breach is that the cybercriminals potentially got away with both the encrypted data as well as the methods to decrypt the data.”
“This latest major data breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU General Data Protection Regulation which imposes financial penalties of 20m Euros or 4pc of annual turnover.”
The intrusion was first identified in the Starwood guest reservation database in the States on 8th September, when Marriott say, an “unauthorised party” was discovered to have copied and encrypted data. Further analysis revealed that access had been ongoing to the network since 2014.
Victims of the breach have turned to social media to complain, after finding out about the situation through the news before receiving any notification from Marriott. The firm’s share price fell around 5% on Friday morning.
Arne Sorenson, Marriott’s chief executive, said:
“We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward”.
Any Marriott customers who stayed at a branch of Sheraton hotels between now and 2014 may have had personal data accessed. These hotels use the Starwood network that has been under attack for four years, unlike the Marriott-branded hotels which operate on a different reservation infrastructure.
Marriott has said it intends to get in touch with victims, with emails that will come from the email@example.com address.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/