Unprecedented data breach impacted 383m guest records, says Marriott
7 January 2019
Marriott International recently announced that the massive breach of customer records (which it detected in September last year) compromised approximately 383 million data records, including 8.6 million unique payment card numbers, 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.
On 30th November, Marriott International announced, to the horror of millions of its customers, that personal and financial information of up to 500 million people who made bookings at the chain’s Starwood hotels were compromised after hackers gained unauthorised access to the Starwood guest reservation database on or before September 10, copied information stored in the database, and attempted to remove it.
The data breach impacted personal and financial information of millions of people who made bookings at Marriott International’s Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.
While the affected Starwood guest reservation database stored combinations of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account numbers, dates of birth and gender of 327 million guests, it also stored payment card numbers and payment card expiration dates belonging to millions of other guests.
Passport and payment card numbers compromised
On Friday, Marriott International issued a fresh update on the incident, announcing that the breach had, in fact, compromised no more than 383 million data records as against the 500 million that it had initially predicted. While the hotel chain refused to quantify the lower number of records compromised by the incident, it said that there were multiple records for the same guest.
Compromised data records also included 8.6 million unique payment card numbers (encrypted), 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.
“After further data analysis we have identified approximately 383 million records as the upper boundary for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest.
“We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” Marriott International said.
Commenting on Marriott International’s recent disclosure, Stephen Cox, Vice President and Chief Security Architect of SecureAuth, told TEISS that it is the responsibility of organisations not only to encrypt personally identifiable information and other sensitive data belonging to customers, but also to implement a strong identity governance strategy to ensure that the right people are given the right access to the right information at the right time.
“Security teams need visibility into who has access to sensitive data, as well as who has had past access to help limit further incidents, mitigate the risk around unauthorised use, and assist in incident response activity. The security industry as a whole must continue to raise the bar in terms of innovation and user experience to make this often maligned process more manageable for organisations,” he added.
Matt Aldridge, Senior Solutions Architect at Webroot, says that a key question we need to ask is why do hotels need to store passport numbers? One of the biggest impacts of GDPR was that it forced companies to consider the personal data they hold and ask customers for, whether this data was really needed and if so how to properly protect it. This is an example of too much data being collected and retained.
“In some countries there are local government requirements that visitor data is recorded for their domestic security purposes. If this is the case, the relevant personal data should be transferred directly into the relevant intelligence, customs or border control system and should not be retained by the hotel. This is just one example among far too many where data is being requested and stored without proper justification and certainly without appropriate measures in place to protect that data,” he adds.