On Friday, November 30th, 2018, hotel chain giant Marriott announced that its reservation database had been the target of a data breach. Details are still emerging at this point, but an investigation revealed that there had been “unauthorized access to the Starwood network since 2014”. Marriott reported that the personal information of about 500 million guests had been compromised. That makes this the second-largest breach in history (that we know of).
It appears that the Starwood Reservation platform was the source of the breach. Back on September 2016, Marriott closed the acquisition of SPG, creating the world’s largest hotel company with over 5,700 properties, 1.1 million rooms, and a new portfolio of 30 brands.
What data was breached?
The type of information stolen varies, but due to the nature of hotel reservation systems, highly sensitive “personally identifiable information” (PII) was compromised. Of the 500 million people affected, Marriott stated that 327 million guests may have had some combination of the following PII hacked:
- Mailing address
- Phone number
- Email address
- Passport number
- Starwood Preferred Guest (‘SPG’) account information
- Date of birth
- Arrival and departure information, reservation date, and communication preferences
In addition, Marriott was unable to verify that some guest’s credit card information was not stolen. Marriott uses encryption security to protect credit card numbers, but they could not rule out the possibility that the hackers got access to the encryption keys which could potentially unlock troves of payment data.
This is some of the most valuable data that can be sold on the black market. Thieves can use this info to tailor a phishing attack to your particular weaknesses. In worst case scenarios, this info could be used as the foundation of an effort to steal identities.
How did it happen?
An internal security tool flagged the unauthorized party’s activity on September 8. Marriott then discovered that the hackers had accessed the information, encrypted it and attempted to remove it. It took Marriott until late November to decrypt the information.
In a press release, Marriott CEO Arne M. Sorenson said: “We deeply regret this incident happened…We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
It’s still unclear how the hackers accessed the data, but it’s not the first time Starwood has been subject to a data breach. In 2015, 54 Starwood hotels in North America fell victim to a malware attack which aimed at stealing credit and debit card information through payment systems at restaurants and stores.
What are the affected hotels?
The breach specifically targeted the SPG reservation system so guests who made bookings at the following properties were affected:
- W Hotels
- The St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotels & Resorts
- Four Points by Sheraton
- Design Hotels
- Starwood-branded timeshares
What to do if you think you’re affected?
If you stayed in a Starwood property on or before September 10, 2018, it’s likely that some of your personal information has been compromised. Marriott has set up a dedicated website and call center to answer frequently asked questions.
Some other steps you can take:
- Cancel your credit cards used to make a booking (better to be safe than sorry).
- Reset your SPG passwords.
- Ensure that you have 2-factor authorization setup on any online accounts with sensitive information – e.g. Banking, Email, iCloud, Dropbox, etc.
- Sign up for WebWatcher (Marriott is offering affected guests a year’s worth of fraud monitoring services for free).
What should companies do to protect against data breaches?
Breaches like these highlight the importance of implementing a comprehensive cybersecurity program for your business. However, no matter how much you focus on compliance, processes and mitigating risks, mistakes happen and litigation follows. In Marriott’s case, a class action lawsuit has already been filed alleging that the hotel chain “failed to ensure the integrity of its servers and to properly safeguard consumers’ highly sensitive and confidential information.”
If your customers can purchase your services over the web, then you likely hold enormous amounts of sensitive data such as financial information, SSNs and more. You are also required to comply with many privacy and notification laws regarding the loss of this information. A cyber liability policy is designed to protect you from the financial consequences of a cyber attack. The policy will pay for notification costs, damage to your systems and the cost to comply with regulations.
Want to read more on the subject? We’ve picked out some articles we’ve published that we highly recommend reading if you’re interested in learning how to protect your company against cyber threats:
Interested in hearing more about how you can protect your company from the financial and reputational effects of data breaches? Talk to us! You can contact us at firstname.lastname@example.org or create an account here in order to get a quote for a cyber liability insurance policy.