Marriott International Discloses Major Data Breach Affecting 500 Million Guests
Marriott International, the largest hotel chain globally, has reported a significant cybersecurity breach involving its subsidiary, Starwood Hotels. Unknown hackers accessed a guest reservation database, compromising the personal information of approximately 500 million guests. This incident underscores the increasing sophistication of cyber-attacks targeting large corporations.
Starwood Hotels and Resorts Worldwide was acquired by Marriott for $13 billion in 2016. The brand encompasses multiple hotels, including St. Regis, Sheraton, W Hotels, and Westin, among others. This breach is among the largest in history, second only to the infamous Yahoo breach in 2016, which affected nearly 3 billion user accounts.
The intrusion is believed to have begun as early as 2014, when unauthorized parties gained access to Starwood’s guest reservation database. The initial detection of the breach occurred on September 8, after an internal security tool flagged an attempt to access the database. Further investigations on November 19 revealed that sensitive guest information stored in the database had been accessed.
The compromised data includes names, mailing addresses, phone numbers, email addresses, passport information, birth dates, genders, as well as travel itineraries and reservation details. Of particular concern, some users’ payment card numbers and expiration dates were also extracted. However, Marriott has stated that these payment card numbers were encrypted using Advanced Encryption Standard (AES-128), leaving uncertainty regarding the potential for decryption by the attackers.
Marriott’s ongoing investigation has confirmed that the unauthorized access was limited to the Starwood network and did not extend to the Marriott network. The company also affirmed that it is in the process of notifying affected customers and has engaged with regulatory bodies, as well as law enforcement, to facilitate investigations.
This breach has implications in light of the European Union’s General Data Protection Regulation (GDPR), which may expose Marriott to significant fines if found to have violated any regulations. The maximum penalty could reach 17 million pounds or 4 percent of its annual global revenue—whichever amount is greater.
From a cybersecurity perspective, this incident reflects a variety of tactics that could align with the MITRE ATT&CK framework. Potential tactics employed by the adversaries may include initial access through social engineering or exploitation of vulnerabilities, followed by data exfiltration techniques. As organizations evaluate their own cybersecurity defenses, this breach serves as a stark reminder of the importance of robust data protection measures and the need for continuous monitoring of network security.
