Up to half a billion Marriott hotel customers’ personal and financial information hacked
The Marriott hotel group has disclosed a data breach exposing the personal and financial information of as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement.
Marriott added that customer payment card data was protected by encryption technology, but that the company could not rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.
The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.
In 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.
In 2016, KrebsOnSecurity revealed that banks were detecting a pattern of fraudulent transactions on credit cards that had one thing in common; they’d all been used during a short window of time at InterContinental Hotels Group (IHG) properties, including Holiday Inns and other popular chains across the United States.
It took IHG more than a month to confirm that finding, but the company said in a statement at the time it believed the intrusion was limited to malware installed at point of sale systems at restaurants and bars of 12 IHG-managed properties between August and December 2016.
In April 2017, IHG acknowledged that its investigation showed cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data — including those used at front desks in certain IHG properties.
Marriott says its own network does not appear to have been affected by this four-year data breach, and that the investigation only identified unauthorised access to the separate Starwood network.
Starwood hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) programme.
Marriott is offering affected guests in the United States, Canada and the United Kingdom a free year’s worth of service from WebWatcher, one of several companies that advertise the ability to monitor the cybercrime underground for signs that the customer’s personal information is being traded or sold.
The breach announced today is just the latest in a long string of intrusions involving credit card data stolen from major hotel chains over the past four years — with many chains experiencing multiple breaches. In October 2017, Hyatt Hotels suffered its second card breach in as many years. In July 2017, the Trump Hotel Collection was hit by its third card breach in two years.
In Sept. 2016, Kimpton Hotels acknowledged a breach first disclosed by KrebsOnSecurity. Other breaches first disclosed by KrebsOnSecurity include two separate incidents at White Lodging hotels; a 2015 incident involving card-stealing malware at Mandarin Oriental properites; and a 2015 breach affecting Hilton Hotel properties across the United States.
Please mind the gap… or healthcare may fall
Imagine sharing a lengthy train journey with others. From beginning to end, imagine how often you might hear ‘mind the gap’ messages about embarking and disembarking safely. Picture how navigating…
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…
Look anywhere – the future is ‘aged tech’. But Scotland needs to be more adventurous
Scottish Care, as the representative body of independent social care providers of care home, care at home and housing support services, has been working over several years with colleagues in…
Women Lead: Engineer turned entrepreneur
We are always fascinated by other people’s stories. It’s how we connect, grow and learn from each other. Until very recently I always felt like I didn’t have a story to tell. Who…
‘Women – together we will change the dynamic in tech’
I was inspired to start a career in technology when personal computers were in their infancy and the internet decades away. My childhood dream of becoming a scientist was shaped by…
It’s time to change the future of tech apprenticeships – and we need your help
In his latest exclusive column for Futurescot, Ross Tuffee, chair of the Skills Development Scotland (SDS) Digital Economy Skills Group, calls on tech employers to get involved in shaping the…
What AI difference a year makes
Amazingly, it’s been one year since the publication of Scotland’s AI Strategy. And what a year it has been. Demanding but rewarding, with good progress made and great foundations laid…
International Women’s Day: It’s time to harness power of women in technology
As we celebrate International Women’s Day, I hope to be part of a future where barriers that prevent women from competing on a level playing field in the work environment…