Yesterday, famous multinational hospitality organization Marriott joined the company of Facebook, Uber and some other large corporations who failed to protect their users’ data privacy. As Marriott reported, the records of 500 million guests of its Starwood division were compromised by an unauthorized party and involved in a data breach.
Starwood’s hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott branded hotels were not injured as they use separate reservation system.
According to the results of internal investigation, it was found out that hackers had access to the system since 2014 which gave them many opportunities to learn more about the system weaknesses or simply understand where the valuable data is. Stolen information includes some combinations of:
- phone number
- email address
- passport number
- account information
- date of birth
- arrival and departure information
Some credit card numbers were also stolen as a part of the breach. Marriott says that this part of information was encrypted but attackers may have also compromised the decryption keys needed to unlock the data. This revelation marks one of the biggest corporate data breaches in history. It is the second behind one involving Yahoo.
Beginning Friday, Marriott is sending notification emails to impacted customers, warning them that criminals could send spam to their emails. It has also established a call center and breach notification website. Although, Marriott is trying to help all victims, there is still one unanswered question.
Marriott International management admitted that they were discovered the breach after an internal security tool alerted them in September. Why did it take them so long to figure out what data was accessed and why did they wait another two weeks before informing those affected? Unfortunately, it is a common problem when big companies try to hide such failures and do not reveal them as long as possible. Such irresponsibility must be accompanied by huge fines such as Uber was fined for concealing data breaches some days ago.
Marriott will continue its investigation but it is already clear that the problem of data protection is becoming one of the most important in the 21st century and needs serious actions from states and organizations.