The cyber assault of Starwood Hotels and Resorts, that started as far back as 2014, was one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected three billion user accounts and larger than a 2017 episode involving the credit bureau, Equifax.
Marriott, has more than 6,700 properties world-wide under 30 hotel brands. Acquired in 2016, Starwood brands account for about a third of the company’s total collection. It includes Sheraton, W Hotels, Westin, Le Méridien, Four Points by Sheraton, Aloft, St. Regis, Element, The Luxury Collection, Tribute Portfolio, and Design Hotels.
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database. The investigation determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.
The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers but Marriott has not been able to rule out the possibility that both were taken.
“We deeply regret this incident happened,” Marriott President and CEO Arne Sorenson said in a statement “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott has taken the following steps to help guests monitor and protect their information:
- Dedicated Website and Call Center: A dedicated website (info.starwoodhotels.com) and call center has been established to answer questions about the incident. The call center is open seven days a week and is available in multiple languages
- Email Notification: Marriott will begin sending emails on a rolling basis starting November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database
- Free WebWatcher Enrolment: Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found
The company said that its Marriott hotels are not believed to be affected as its reservation system is “on a different network,” following Marriott’s acquisition of Starwood in 2016. It has begun informing customers of the breach — including in the U.S., Canada, and the U.K.
Marriott will face scrutiny from regulators, particularly in Europe where the European Union’s General Data Protection Regulation privacy law took effect in May. Although the Starwood breach predates GDPR, the unauthorized activity continued after the law went into effect, the incident would likely be subject to it. Given that the breach falls under the European-wide GDPR rules, Starwood may face significant financial penalties of up to 4% of its global annual revenue if found to be in breach of the rules.
Forrester senior analyst Enza Iannopollo stated “Marriott will have to clarify how they managed M&A due diligence, since the breach happened within Starwood systems and started before that acquisition, whether they manage customers’ personal data as the GDPR requires – and this question alone might determine the future of their business, considering the 4% global revenue potential fine that comes with violation of the rules.”
It is expected that the breach will also “certainly” trigger legal action by consumers groups– something that would further threaten the future stability of the business.
The breach is set to be expensive for Marriott. Analysts from Morgan Stanley noted that Marriott could pay fines and settlements totalling USD 200 million. Verizon cut what it paid to acquire Yahoo by USD 350 million after its breach in 2016 was reported. Equifax reported recovery costs of USD 400 million from its 2017 event, which affected 148 million people.
Marriott’s (MAR) stock is plunging on the news, falling more than 6% in trading, as of Friday, November 30, 2018.
The Starwood attack arose roughly the same time as a number of other breaches at American health insurers and government agencies, including the United States Office of Personnel Management, in what security research firms and government officials described as an effort to compile a vast database of personal information on potential espionage targets.
Experts don’t know if the Starwood attack was linked to those other episodes. But Starwood’s data has not popped up on the so-called dark web, according to Recorded Future, a cybersecurity firm, and Coalition, a cyber insurance provider, which implied that the hotel attackers weren’t looking to sell what they took.
On November 19, digital forensics experts exposed the full scope of the attack. It was the second major security breach Starwood has reported. Its cash register systems were penetrated in 2015.
Lawmakers said the Starwood incident was yet another example of why the United States needs data privacy laws that punish companies for failing to keep customers’ information private.
There is a common view that it is time for Congress to pass comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them.
Vanshita Agrawal, Research Analyst at A2Z Insights