Marriott Purchased an Already-Hacked Starwood Hotels

On November 30th, Marriott International admitted they experienced a security breach exposing personal and payment info of 500 million customers—including passport numbers and credit card numbers– making it one of the 2nd largest security breaches in US corporate history. The breach was from its Starwood database, a hotel chain Marriott acquired for $13 billion back in 2016. It’s been discovered that there had been unauthorized access to the Starwood database since 2014. This raises the question; was this a preventable situation for Marriott?

On September 8th, Marriott received an alert from an internal security tool notifying the Starwood guest reservation database. In response, Marriott tasked a security expert to find out what was happening, and learned an “unauthorized party” had accessed customers’ information and had even encrypted parts of the data set. It was on November 19th, 2018, the Marriott was finally able to decrypt the information and discover that it was the contents from the Starwood guest reservation database that had been taken.

For 173 million of the affected, the information taken was limited to name, email address, mailing address, or other minor pieces of information. For the remaining 327 million however, information taken was some combination of name, email address, mailing address, phone number, passport number, date of birth, gender, information on arrival and departure times from the hotels they’ve stayed at, reservation dates, and Starwood Preferred Guest account information. The payment card numbers and expiration dates were also taken from some guests, but the information was encrypted. However, it cannot be ruled out by Marriott at this point that the information had been decoded.

While the size of the hack will get the most attention, it shouldn’t be overlooked that there had been unauthorized access to the Starwood database since 2014, two years prior to Marriott acquiring the company. So, how did Marriott not become aware of this when they acquired the company? It can be assumed that Marriott did not do a thorough enough security inspection of Starwood before acquisition.

There seems to be a major lesson with every major security breach or data leak we see, and the major lesson from this one seems to be do a proper cybersecurity check and analysis of any businesses you acquire, or third party vendors you work with. Seriously, it’s no joke. When you work closely with other businesses, their vulnerabilities become your problem too. You need to hold them accountable and not allow yourself to be put in a situation like Marriott has done today. For any new vendor or business you plan to work with closely and share your business information with, make sure they’re well protected and not currently breached. For financial firms/financial-adjacent firms here in New York, DFS regulations require you to make sure your third -party vendors are compliant with DFS, so be sure read up on their rules to be as protected as possible.

So who’s affected? What is being done about it?

In response to this event, Marriott has immediately set up a website for costumers affected/those who fear they may have been affected by the breach, as well as a free yearlong subscription to WebWatcher, a service that monitors sites were personal information is shared and alerts you if your information is found there. The subscription to WebWatcher can be found here, on the website that Marriott has set up. Marriott has also set up a call center, though the company stated that “Call volume may be high, and we appreciate your patience.” This is to be expected in the days following a massive breach like this.

Marriott has also begun to send out emails to affected guests whose email addresses are in the Starwood guest reservation database. If you’re still nervous you may have been affected, the following hotels are those whose guests data became vulnerable for anyone who stayed at these hotels prior to September 18th, 2018 (any reservations after this date are not affected, according to Marriott):

-W Hotels

-St. Regis

-Sheraton Hotels & Resorts

-Westin Hotels & Resorts

-Element Hotels

-Aloft Hotels

-The Luxury Collection

-Tribute Portfolio

-Le Meridien Hotels & Resorts

-Four Points by Sheraton

-Design Hotels