On Friday, hotel chain Marriott International announced in a press release that the reservation system for their Starwood line of properties had been
It is still unknown at this time who is responsible for the data breach, how they succeeded in compromising the data, or what their intentions are. The facts we do know are
According to the press release, the initial breach occurred in 2014 and lasted until September of this year when an internal security tool initiated an alert that an unauthorized party had attempted to access the company database. This means that for a full four years, Marriott had been inadvertently
Once the unauthorized attempt to access the database was detected, Marriott consulted with security experts to help determine what was going on. A forensic investigation into the matter uncovered that the hackers had copied and encrypted information from the database. Investigators recently concluded after decrypting the information that the compromised data was from their Starwood guest reservation database.
Marriott’s Starwood line of properties includes W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels, as well as Starwood brand timeshare properties. Any guests who stayed at any of these properties before September 10th, 2018 are potentially affected. Marriott brand hotels were not compromised because the Marriott and Starwood guest reservation databases were kept separate.
The personal information contained in the guest reservation system highly detailed and allowing that personal information to fall into the wrong hands is a frightening oversight.
According to Marriott’s statement, among the types of personal data compromised includes, “Some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” On top of that, Marriott confirms that credit card numbers, along with credit card expiration dates were also compromised. Though the press release claims that the card numbers were encrypted, what Marriot cannot confirm at this time, is whether the encryption keys were stolen. If so then we can assume the card numbers were accessed by the unauthorized party.
Marriott CEO Arne Sorensen apologies on behalf of the chain stating, “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.” Sorensen continued by explaining the company’s next steps, “Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call
It’s encouraging to know what steps are being taken to shore up Marriott security
The fallout for Marriott will likely continue for some time as further investigations into the breach get underway. In addition, they are likely to be left with a
Regardless of whether their financial health remains intact following the breach, this incident highlights the disturbing fact that many large corporations are gravely ill-prepared to prevent, and detect cyber attacks on their networks. We only need to look at the recent incidents involving Yahoo in 2013 and Equifax in 2017 to demonstrate that these types of large-scale security breaches are all too common, and seem to be happening with greater regularity.
In order to prevent this becoming a
In the Marriott case, several burning questions remain: What security deficiencies ultimately allowed the hackers to compromise the database? Why did it take four years to detect the breach? Who was responsible for the attack and what are they doing with the data? Why does Marriott not know if the encrypted credit card data was compromised? The answers to these questions could provide Marriott and others with critical insight as to why this happened and more importantly what they can do to ensure it never happens again.
If you want to take further precautions to ensure your online safety when you're connected to hotel WiFi, you may want to consider using a VPN. Take a look at our best VPN services page for more information.