Data breaches are occurring with increasing frequency at name-brand companies, and it’s certainly cause for concern. Millions of customers worldwide are typically harmed by these incidents, and more often than not sensitive identification and financial data is leaked.
Now the latest big data breach story is about Marriott, a very large international hotel chain. The breached data pertains to people who have stayed at Starwood Hotels and Resorts properties at least once between 2014 (no approximate date is given) and September 10th, 2018. If you didn’t stay at a Marriott branded hotel during this time period, there’s still reason for you to be concerned. The Starwood Hotels and Resorts chain includes the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection properties, Tribute Portfolio properties, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels. Interestingly enough, although the press release reporting the breach is under the Marriott International name, Marriott-specific data wasn’t involved in this breach because the Starwood and Marriott reservation databases are still separate.
The large number of international properties and brands is the result of ongoing corporate mergers over the past few decades. Most recently, the merger of Marriott International and Starwood was approved on September 23, 2016. I know that several of those hotels are in my hometown of Toronto, and they’re also in cities and larger towns all over the Americas, Europe, Asia, Africa, Oceania, and the Middle East. There are collectively thousands of properties in 130 countries. If you stayed at a nice hotel in the past few years, there’s a chance that this breach has impacted you.
Marriott International reported the breach in a press release on November 30th. It explains:
“Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”
So how many customers are affected by the breach?
“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other limited information.”
Wow. So at least a few hundred million people were affected. I hope more specific numbers come out as progress is made in the post-incident investigation.
I’m glad that Marriott International reported the breach less than a few months after they discovered it, that’s better than what many large corporations have done in response to their data breaches. I’m also glad that they seem to be providing as much information as they’re able to. And that’s about as many nice things as I have to say about this matter.
Here are my criticisms. They discovered the breach in early September. Inevitably many of the impacted customers are citizens and residents of European Union countries. The EU’s General Data Protection Regulation came into effect this past May, and the law applies to the data of those customers even if they were staying in a hotel outside of Europe. According to the GDPR, breaches must be reported within 72 hours of discovery. The time Marriott International took to report this breach probably violated the GDPR. Time will tell whether or not the corporation gets fined.
The data privacy laws elsewhere in the world typically aren’t as strict as the GDPR. I know Canada’s PIPEDA regulation doesn’t mandate a specific time frame for reporting breaches! But sometimes the GDPR helps data breach victims who aren’t from the EU. If a breach affects people all around the world as this Starwood breach does, the fact that some of the customers are from the EU means that breach victims worldwide benefit from the pressure to report within 72 hours.
Still, Marriott International took nearly three months after discovery to report this breach.
It seems like Marriott International fixed the cause of the breach on September 10th, a couple of days after discovery. But this breach goes all the way back to 2014. Marriott says that a security tool of some sort helped them to discover the breach. Was that tool just very recently implemented? Did Starwood’s network lack proper intrusion detection devices, logging, and SIEM until very recently? That possibility bothers me.
This breach not only affects customers who are Starwood Preferred Guest (SPG) program members, but also customers who aren’t SPG members. If you think you may be a victim of this breach, here’s what you can do.
If you have an SPG account, change its password as soon as you possibly can. Then watch your SPG account for suspicious activity. Whether or not you’re an SPG customer, look at your credit card statements if you used a card at any of these Starwood properties. If something looks amiss, call your bank or the credit card issuer as soon as possible. See if you have breached data via Have I Been Pwned. Just keep in mind that you may still be affected by the Marriott breach even if your accounts aren’t mentioned in the site’s database, and the site may mention your breached data from unrelated data breach incidents. When in doubt, it doesn’t hurt to change all of your passwords for everything! Perhaps make sure to use a reputable password manager so you can use lots of complex passwords without writing any of them down on paper.