A data breach that affects 500 million individuals was just announced. The affected party is US hotel chain Mariott, and more specifically, its Starwood subsidiary’s guest reservation network. Apparently, the network has exposed its entire database consisting of 500 million guest bookings that happened in the course four years. Law enforcement in the US has been contacted, and affected customers are being contacted.
The official statement states that on September 8 this year, the hotel chain received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database:
Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
What type of personal information has been affected?
It appears that approximately 327 million of the guest bookings included an abundance of highly sensitive personal details: the customers’ name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. That’s not all! Another batch of breached data for an unspecified number of customers included encrypted card numbers and expiration dates. The encryption used on these details, according to Marriott, was AES-128:
There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.
Security researchers speculate that this may be an example of salting and hashing.
The investigation found an encrypted database online, and after successfully decrypting it, a full copy of the whole Starwood guest reservation database was revealed. Here’s the list of the affected hotel brands:
- W Hotels
- St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotels & Resorts
- Four Points by Sheraton
- Design Hotels that participate in the Starwood Preferred Guest (SPG) program
- Starwood branded timeshare properties
You can refer to the “dedicated website and call center” for further details.