Today, Marriott disclosed a large-scale data breach impacting up to 500 million customers who have stayed at a Starwood-branded hotel within the last four years.
While details of the breach are still sparse, Marriott stated that there was unauthorised access to a database tied to customer reservations stretching from 2014 to September 10, 2018. For a majority of impacted customers (approximately 327 million), the breached data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some of those guests, their credit card numbers and expiration dates were exposed, however, they were encrypted using the Advanced Encryption Standard (AES-128). Marriott president and chief executive officer Arne Sorenson says, “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
A root cause of the breach is currently unknown, but Marriott indicated that the intruders encrypted the information before exfiltrating the data.
Security expert Brian Krebs reported that Starwood reported its own breach in 2015, shortly after acquisition by Marriott.
At the time, Starwood said that their breach timeline extended back one year, to roughly November 2014.
Incomplete remediation of breaches is extremely common, and when compounded by asset management challenges introduced by mergers and acquisitions, seeing lateral movement and exfiltration after an initial hack is not unreasonable. Starwood properties impacted are as follows:
Malwarebytes suggests that if you’re a customer:
If you’re a business looking for tips to prevent getting hit by a breach: