Marriott's Starwood Reservation Hack Could Affect 500 MillionDatabase Intrusion Dates Back to 2014
(This story has been updated.)
The Marriott hotel chain has announced its Starwood guest reservation database has been hacked, potentially exposing up to 500 million accounts. The unauthorized access to the database started in 2014, the company says.
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Marriott International acquired Starwood Hotels & Resorts Worldwide for $13 billion in 2016.
In a press release attached to an 8K form - signifying an significant unexpected event - filed with the Securities and Exchange Commission on Friday, the company says on Nov. 19 an investigation determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before Sept. 10.
On Sept. 8, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the U.S., the company says.
"Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps toward removing it. On Nov.19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database. "
The company says it has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
"For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date and communication preferences," the company says.
For some of those 327 million guests, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption, the news release adds. "There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken."
For the remaining guests, the information exposed was limited to name and sometimes other data such as mailing address, email address or other information, the hotel giant reports.
New York's attorney general, Barbara Underwood, and Maryland's attorney general, Brian Frosh, said on Friday that their offices had opened investigations into the breach.
We've opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected.— NY AG Underwood (@NewYorkStateAG) November 30, 2018
The Marriott data breach is one of the largest and most alarming we've seen. My office is launching an investigation to find out the circumstances that led to the breach and its impact on consumers. https://t.co/r3qUPBg3N8— Brian Frosh (@BrianFrosh) November 30, 2018
In its SEC filing about the incident, Marriott says it's premature to estimate the financial impact to the company. "The company carries insurance, including cyber insurance, commensurate with its size and the nature of its operations. The company is working with its insurance carriers to assess coverage," the filing notes.
Marriott's filing says the company will separately disclose costs specifically related to this incident, as well as any corresponding insurance reimbursements. "The timing of recognition of related costs may differ from the timing of recognition of any insurance reimbursement," it notes.
In the meantime, Marriott says it does not believe this incident will impact its long-term financial health. "As a manager and franchiser of leading lodging brands, the company generates meaningful cash flow each year with only modest capital investment needed to grow the business. The company remains committed to maintaining its investment grade credit rating."
Marriott says it reported this incident to law enforcement and continues to support their investigation, and it has already begun notifying regulatory authorities.
"We deeply regret this incident happened," said Arne Sorenson, Marriott's president and CEO. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
In a statement on its website, Marriott says it's providing those affected by the breach the opportunity to enroll in WebWatcher free of charge for one year. "WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer's personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries," the company notes.
Sorenson adds: "We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."
Back in 2015, Starwood revealed a point-of-sale malware intrusion at a number of its hotels.
Detecting the Compromise
While details about the particular tactics of the Marriott breach that was revealed Friday are not yet known, it appears that the initial compromise was missed, says former FBI cyber agent Andre McGregor, who is now head of security at the consultancy TLDR Global. "Network traffic is usually a key indicator of compromise, so if the attacker waited to exfiltrate data, the usual red flags would not have been present," he notes.
"A smart attacker's goal is to maintain silent persistence on a network for as long as possible," he adds.
Also possibly contributing to the intrusion persisting for years without notice was the acquisition of Starwood by Marriott, McGregor notes.
"Acquisitions create a good deal of confusion between organizations, particularly when it comes to IT infrastructure and security," he says. "Because most breaches are a result of mismanaged systems or administrative accounts, the criminal would have inevitably had to hijack one or both in order to gain access to this highly important data set. Situations like this highlight the importance of prioritizing security when merging systems and processes. Cybersecurity standards must be consistent for all types of data across the board."
Mac McMillan, president of the security consultancy CynergisTek, also says the incident shows possible sloppiness during the pre-acquisition phases of Marriott purchasing Starwood in 2016, which is apparently two years after the intrusion started. "This speaks to the level of due diligence from a security perspective that may or may not have occurred," he says. "However, something short of a forensic review may not have identified this attack, and typically that is not done during M&A due diligence."
The fallout of this breach for Marriott and its customers will be significant, McMillan predicts.
"For Marriott, this is a huge reputational hit as travelers who will now have to go through account changes and password changes - and potentially be subject to more phishing scams, etc. - will not be happy at all with a premier hospitality company like Marriott putting them in this situation. I'm sure there will also be numerous class action lawsuits as well, which will impact the company."