International hotel chain Marriott announced today a security breach during which the personal details of 500 million hotel guests was stolen.
The breach happened in 2014, but Marriott says it became aware of it on September 10, two days after its staff spotted an alert from an internal security tool about an attempt to access the Starwood guest reservation database in the United States.
[...]
The Starwood hotel chain, which Marriott acquired in 2016, includes other hotel brands, such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le M?ridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Investigators said that for 327 million of the Starwood guests, the information that attackers stole included a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some of these guests, payment card data was also stolen, but Marriott did not say for how many.
"For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)," the hotel said today in an SEC filing.
"There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken," the hotel chain added.
For the rest, up to 500 million, the data only included a name, and sometimes other info such as mailing address, email address, or other information.
