The company disclosed the intrusion in a regulatory filing today. Marriott said hackers broke into a guest database belonging to its Starwood subsidiary in 2014, when the group was still a separate company, and siphoned off records over the next four years. The hackers had access to the data of travelers who made reservations through Sept. 10 of this year.
The exposed information is believed to include numerous personally identifiable details. Marriott said in its regulatory filing that “for approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood which is also as of now going to preferred with the Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.”
An unknown percentage of the affected customers have also had their payment information exposed. That included the card numbers and expiration dates, according to the filing. Starwood stored this financial data in an encrypted form, but Marriott warned that the hackers may have the stolen the cryptographic components necessary to read them.
The intrusion represents the second-largest data breach on record behind the 2013 hack at Yahoo that exposed all 3 billion of the company’s users at the time. It also isn’t the first time that Starwood reported a large-scale cyber attack. In late 2015, the hotel operator disclosed that point-of-sale malware infected cash registers at 50 of its locations.
Matt Aldridge, a senior solutions architect at cybersecurity provider Webroot Inc., said there’s a risk that the attack may have spread from Starwood systems into Marriott’s systems. “It will be interesting to learn more as further details emerge, including whether the encryption keys were also exfiltrated, unlocking the payment cards of millions of Starwood customers,” he said.
This attack could have significant financial consequences for Marriott even if it turns out to be limited to Starwood’s network. Not only did the breach affect an extraordinarily large number of people, but it also went unaddressed for four years. IBM Corp. estimates the average time it takes to contain large-scale cyber attacks is just one year.
Another notable factor is that the scale of the breach means customers from the European Union are almost certainly affected. Under the EU’s General Data Protection Regulation, companies that expose user information can receive fines amounting to as much as 4 percent of their global annual revenue.
“Newly regulated industries such as the hospitality industry still have a long way to go to satisfy protection requirements dictated by standards such as GDPR,” Kelly White, chief executive officer of Accel-backed security startup RiskRecon Inc., told in a report.
“Based on our analytics, the hotel industry dramatically underperforms long regulated industries such as banking and healthcare in key areas of cybersecurity,” he added. “For example, in comparison with banks, hotels have a 400 percent higher rate of critical software vulnerabilities present in internet-facing systems that store and process sensitive, regulated information. In comparison with healthcare, hotels have a 180 percent higher rate.”
Marriott is already feeling the fallout from the breach, with its stock currently down more than 6 percent.