Marriott announced that it recently detected and addressed a security incident involving the Starwood guest reservation database.

On 30 November, Marriott revealed that an internal investigation had found evidence of unauthorized access to the database containing guests’ reservation information at Sheraton hotels and other Starwood properties on or before 10 September 2018.

The American multinational hospitality company, which purchased Starwood in 2016, launched its investigation after a security tool detected an attempt by an unknown party to access the database on 8 September 2018. Marriott responded by hiring security experts to help determine what happened.

As a result of the review, Marriott learned that unauthorized individuals had been accessing Starwood’s network since at least 2014. It also found out that bad actors had copied and encrypted information before attempting to remove it. The hospitality company decrypted this information on 19 November 2018 and then learned that it had originated from the Starwood guest reservation database.

Based on its initial assessment, Marriott said it believes the database contains as many as 500 million guests’ information. That includes the date of birth, passport number and reservation details for 327 million customers.

The database also contained some customers’ payment card details protected by AES-128, Marriot learned. At this time, the hospitality company hasn’t ruled out the possibility that digital attackers stole the means to decrypt this information.

Marriott said it reported this incident to law enforcement and has begun notifying regulatory authorities.

Arne Sorenson, Marriott’s President and Chief Executive Officer, said the company as a whole “fell short of what our guests deserve and what we expect of ourselves.” As quoted in a news release:

Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about (Read more...)