Marriott & SPG Data Breach: What you need to know
On Friday, November 30th, 2018, hotel chain giant Marriott announced that its reservation database had been the target of a data breach. Details are still emerging at this point, but an investigation revealed that there had been “unauthorized access to the Starwood network since 2014”. Marriott reported that the personal information of about 500 million guests had been compromised. That makes this the second-largest breach in history (that we know of).
It appears that the Starwood Reservation platform was the source of the breach. Back on September 2016, Marriott closed the acquisition of SPG, creating the world’s largest hotel company with over 5,700 properties, 1.1 million rooms, and a new portfolio of 30 brands.
The type of information stolen varies, but due to the nature of hotel reservation systems, highly sensitive “personally identifiable information” (PII) was compromised. Of the 500 million people affected, Marriott stated that 327 million guests may have had some combination of the following PII hacked:
In addition, Marriott was unable to verify that some guest’s credit card information was not stolen. Marriott uses encryption security to protect credit card numbers, but they could not rule out the possibility that the hackers got access to the encryption keys which could potentially unlock troves of payment data.
This is some of the most valuable data that can be sold on the black market. Thieves can use this info to tailor a phishing attack to your particular weaknesses. In worst case scenarios, this info could be used as the foundation of an effort to steal identities.
An internal security tool flagged the unauthorized party’s activity on September 8. Marriott then discovered that the hackers had accessed the information, encrypted it and attempted to remove it. It took Marriott until late November to decrypt the information.
In a press release, Marriott CEO Arne M. Sorenson said: “We deeply regret this incident happened…We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
It’s still unclear how the hackers accessed the data, but it’s not the first time Starwood has been subject to a data breach. In 2015, 54 Starwood hotels in North America fell victim to a malware attack which aimed at stealing credit and debit card information through payment systems at restaurants and stores.
The breach specifically targeted the SPG reservation system so guests who made bookings at the following properties were affected:
If you stayed in a Starwood property on or before September 10, 2018, it’s likely that some of your personal information has been compromised. Marriott has set up a dedicated website and call center to answer frequently asked questions.
Some other steps you can take:
Breaches like these highlight the importance of implementing a comprehensive cybersecurity program for your business. However, no matter how much you focus on compliance, processes and mitigating risks, mistakes happen and litigation follows. In Marriott’s case, a class action lawsuit has already been filed alleging that the hotel chain “failed to ensure the integrity of its servers and to properly safeguard consumers’ highly sensitive and confidential information.”
If your customers can purchase your services over the web, then you likely hold enormous amounts of sensitive data such as financial information, SSNs and more. You are also required to comply with many privacy and notification laws regarding the loss of this information. A cyber liability policy is designed to protect you from the financial consequences of a cyber attack. The policy will pay for notification costs, damage to your systems and the cost to comply with regulations.
Want to read more on the subject? We’ve picked out some articles we’ve published that we highly recommend reading if you’re interested in learning how to protect your company against cyber threats:
Interested in hearing more about how you can protect your company from the financial and reputational effects of data breaches? Talk to us! You can contact us at email@example.com or create an account here in order to get a quote for a cyber liability insurance policy.
PCI DSS compliance and cyber liability can seem confusing, but we break it down for you so you can keep your business booming.