[BreachExchange] Marriott says 500 million Starwood guest records stolen in massive data breach

Destry Winant destry at riskbasedsecurity.com
Fri Nov 30 09:27:06 EST 2018 

https://techcrunch.com/2018/11/30/starwood-hotels-says-500-million-guest-records-stolen-in-massive-data-breach/

Starwood Hotels has confirmed its hotel guest database of about 500
million customers has been stolen in a data breach.

The hotel and resorts giant said in a statement filed with U.S.
regulators that the “unauthorized access” to its guest database was
detected on or before September 10 — but may have dated back as far as
2014.

“Marriott learned during the investigation that there had been
unauthorized access to the Starwood network since 2014,” said the
statement. “Marriott recently discovered that an unauthorized party
had copied and encrypted information, and took steps towards removing
it.”

Specific details of the breach remain unknown. We’ve contacted
Starwood for more and will update when we hear back.

The company said hat it obtained and decrypted the database on
November 19 and “determined that the contents were from the Starwood
guest reservation database.”

Some 327 million records contained a guest’s name, postal address,
phone number, date of birth, gender, email address, passport number,
Starwood’s rewards information (including points and balance), arrival
and departure information, reservation date, and their communication
preferences.

Starwood said an unknown number of records contained encrypted credit
card data, but has “not been able to rule out” that the components
needed to decrypt the data wasn’t also taken.

“Marriott reported this incident to law enforcement and continues to
support their investigation,” said the statement.

Marriott-owned Starwood the largest hotel chain in the world, with
more than 11 brands covering 1,200 properties, including W Hotels, St.
Regis, Sheraton, Westin, Element and more. Starwood branded timeshare
properties are also included.

The company said that its Marriott hotels are not believed to be
affected as its reservation system is “on a different network,”
following Marriott’s acquisition of Starwood in 2016.

The company has begun informing customers of the breach — including in
the U.S., Canada, and the U.K.

Given that the breach falls under the European-wide GDPR rules,
Starwood may face significant financial penalties of up to four
percent of its global annual revenue if found to be in breach of the
rules.

More information about the BreachExchange mailing list