NEW YORK (AP) - Hackers stole information on as many as 500 million guests of the Marriott hotel empire over four years, obtaining credit card and passport numbers and other personal data, the company said Friday as it acknowledged one of the largest security breaches in history.
The full scope of the failure was not immediately clear. Marriott was trying to determine if the records included duplicates, such as a single person staying multiple times.
The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.
The crisis quickly emerged as one of the biggest data breaches on record.
"On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade," said Chris Wysopal, chief technology officer of Veracode, a security company.
By comparison, last year's Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
Security analysts were especially alarmed to learn that the breach began in 2014. While such failures often span months, four years is extreme, said Yonatan Striem-Amit, chief technology officer of Cybereason.
It was unclear what hackers could do with the credit card information. Though it was stored in encrypted form, it was possible that hackers also obtained the two components needed to descramble the numbers, the company said.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.
"We fell short of what our guests deserve and what we expect of ourselves," CEO Arne Sorenson said in a statement. "We are doing everything we can to support our guests and using lessons learned to be better moving forward."
Marriott set up a website and call center for customers who believe they are at risk.
The hackers' access to the reservation system could be troubling if they turn out to be, say, nation-state spies rather than con artists simply seeking financial gain, said Jesse Varsalone, associate professor of cybersecurity at the University of Maryland University College.
Reservation information could mean knowing when and where government officials are traveling, to military bases, conferences or other destinations abroad, he said.
"There are just so many things you can extrapolate from people staying at hotels," Varsalone said.
The richness of the data makes the hack unique, Wysopal said.
"Once you know someone's arrival, departure, room preferences," that could be used to incriminate a person or for a reputation attack that "goes beyond your traditional identity theft or credit-card theft," he said.
It isn't common for passport numbers to be part of a hack, but it is not unheard of. Hong Kong-based airline Cathay Pacific Airways said in October that 9.4 million passengers' information had been breached, including passport numbers.
Passport numbers are often requested by hotels outside the U.S. because U.S. driver's licenses are not accepted there as identification. The numbers could be added to full sets of data about a person that bad actors sell on the black market, leading to identity theft.
And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport.
But one redeeming factor about passports is that they are often required to be seen in person, said Ryan Wilk of NuData Security. "It's a highly secure document with a lot of security features," he said.
Email notifications for those who may have been affected begin rolling out Friday.
When the merger was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.
While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.
The names, addresses, passport numbers and other personal information "is of greater concern than the payment info, which was encrypted," analyst Ted Rossman of CreditCards.com said, citing the risk that thieves could open fraudulent accounts.
An internal security tool signaled a potential breach in early September, but the company was unable to decrypt the information that would define what data had possibly been exposed until last week.
Marriott, based in Bethesda, Maryland, said in a regulatory filing that it was premature to estimate what financial impact the breach will have on the company. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.
Elected officials were quick to call for action.
The New York attorney general opened an investigation. Virginia Sen. Mark Warner, co-founder of the Senate Cybersecurity Caucus, said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers "shoulder the burden and harms resulting from these lapses."
Chapman reported from Newark, New Jersey.
READ THEIR STATEMENT:
Marriott has taken measures to investigate and address a data security incident involving the Starwood guest reservation database. On November 19, 2018, the investigation determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties* on or before September 10, 2018.
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
Marriott reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities.
"We deeply regret this incident happened," said Arne Sorenson, Marriott's President and Chief Executive Officer. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
"Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network," Mr. Sorenson continued.
HERE'S WHAT YOU CAN DO IF YOU THINK YOU ARE AT RISK:
Marriott has taken the following steps to help guests monitor and protect their information:
Dedicated Website and Call Center
We have established a dedicated website (info.starwoodhotels.com) and call center to answer questions you may have about this incident. The frequently-asked questions on info.starwoodhotels.com may be supplemented from time to time. The call center is open seven days a week and is available in multiple languages. Call volume may be high, and we appreciate your patience.
Marriott will begin sending emails on a rolling basis starting today, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.
Free WebWatcher Enrollment
Marriott is offering guests free enrollment to the WebWatcher program for one year. It monitors websites where personal information is shared and alerts customers when there is evidence of their personal information. WebWatcher can be activated by following this link. https://answers.kroll.com/
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer's personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. Guests from the United States who activate WebWatcher will also be provided fraud consultation services and reimbursement coverage for free. To activate WebWatcher, go to info.starwoodhotels.com and click on your country, if listed, for enrollment.
Marriott is furnishing a Form 8-K with the SEC attaching a copy of this press release and presenting certain other information with respect to the incident.
* Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.