The hack exposed guest information dating back to 2014.
The Marriott data breach may have been the result of a Chinese intelligence-gathering effort, according to a report by the New York Times.
Marriott announced the hack on November 30, saying hackers targeted its Starwood reservation system and accessed the personal information of hundreds of millions of guests who have stayed in the hotel chain’s properties since 2014.
Marriott began investigating the hack in September and has yet to publicly identify the culprit, but two people with knowledge of the investigation told the Times that the hackers may have been working on behalf of China’s Ministry of State Security and also targeted health insurers and security clearance files.
“Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests,” a Marriott spokesperson told Vox. “We have no information about the cause of this incident, and we have not speculated about the identity of the attacker. We alerted law enforcement and are cooperating with the investigation.”
In a press release on its website, the company said it was first alerted that an unauthorized party had attempted to access its guest reservation database for its Starwood properties, which comprises hotel chains including the W and Four Points by Sheraton, on September 8. An investigation revealed that there had been “unauthorized access to the Starwood network since 2014,” and that approximately 500 million guests’ personal information had been compromised.
For roughly 327 million of those guests, the data breach revealed “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” according to the company’s statement. Other guests’ credit card numbers and expiration dates also may have been accessed.
“We deeply regret this incident happened,” Marriott president and CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Who is affected by the Marriott hack?
The hack affected an estimated 500 million guests who have stayed at Marriott’s Starwood brand hotels since 2014. Those properties include the W Hotels, the St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels, and Starwood-branded timeshares, according to the company. (Marriott acquired Starwood Hotels & Resorts Worldwide in 2016 for $13.6 billion.)
Marriott will begin emailing guests whose information may have been compromised on November 30, the company said in a statement. It has also set up a dedicated website and call center for guests who have questions about the hack and whether their information was compromised, and is giving guests in the US, UK, and Canada free year-long subscriptions to WebWatcher, a software that alerts users of potential identity theft or fraud.
“The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted,” Ted Rossman, an industry analyst at CreditCards.com, told Skift, a business-to-business media company that reports on the travel industry. “People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
Rossman recommended that anyone whose information may have been compromised freeze their credit cards to prevent the hackers from opening fraudulent accounts in their name.
How to protect yourself against big data breaches and hacks
Marriott is by no means the first big company to get hacked. Mashable keeps a running list of companies that have been hacked, including eBay, Home Depot, and Chipotle. Target was hacked in 2005, and again in 2014; the second breach affected 70 million people. In 2017, hackers targeted the credit reporting agency Equifax, exposing the information of more than 145 million customers — nearly half the total US population.
After last year’s Equifax hack, Wired put together a guide to protecting yourself and your information. Some of the tips are straightforward, like changing your passwords and using a password manager instead of reusing passwords from site to site. They also suggest that you check the website HaveIBeenPwned to see if your information is floating around somewhere on the internet without your knowledge. If your information has been compromised, the good news is that passwords and credit card numbers are easy to change. If hackers got access to your Social Security number, though, Wired suggests you keep an eye on your bank account from now until the end of time.
Even if your information wasn’t compromised in the Marriott hack, it’s possible that at some point, your name, address, credit card information, or even your Social Security number has been exposed through some kind of corporate hack. The Marriott hack is being described as one of the biggest data breaches in history — and it’s unlikely to be the last.