Marriot hotel, the world’s biggest hotel chain, reported today that hackers have compromised a guest reservation database of its Starwood division and around 500 million guest records have been stolen. The identity of the hackers is yet unknown.
Marriott International bought Starwood Hotels and Resorts Worldwide for $13 billion in 2016. Some major hotel brands fall under the umbrella including St Regis, W Hotels, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Aloft Hotels, and more.
With 500 million guest records stolen, the data breach has made history as the second largest data breach ever seen, number one being Yahoo’s 2016 hacking that resulted in 3 billion user accounts being stolen.
It is thought that the data breach on Starwood began in 2014 when an unknown hacker managed to gain access to the guest reservation database and copied and encrypted the information.
Marriott International first became aware of the breach in September this year when their security system alerted them of an outside attempt to access the database.
Marriott launched an investigation and in November concluded that unauthorized access to the database had been occurring for some time.
It is estimated that sensitive personal information of 327 million guests has been stolen. This information includes their names, addresses, email addresses, phone numbers, passport numbers, dates of birth, genders, arrival and departure information, reservation date and communication preferences.
Marriott has confirmed that payment data has not been stolen because “the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).”
However, it is possible that payment data has been stolen. The hackers would simply need two separate components to decrypt the card numbers and payment information, so Marriot hasn’t been able to rule out the possibility that this has occurred.
Marriott has said that they have begun the process of notifying affected customers of the breach.
Because of the GDPR data protection regulation which came into force this year in the EU, Marriott could face a maximum fine of 17 million.