A booking database run by the Marriott hotel chain has been hit by a vast hack that could affect half a billion people.
The vast collection of people’s personal information, used to book rooms at its Starwood properties, has been accessed by unauthorised people since 2014, it said
The cyber attack included information about those people’s credit cards that could be used to steal money, Marriott warned.
That sensitive information was protected by encryption that should have meant it was unreadable even if people had access to the database. But the hackers may also have stolen the keys needed to decrypt that data and see what it said, the company warned.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and chief executive. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Marriott was first alerted to a potential breach in September, it said, when an internal security tool found someone was trying to access its database. It then found that people seemed to have been in the database since 2014, and they had copied information apparently with a view to taking it.
The company said it had informed law enforcement and was working with them on the investigation. It is also notifying the relevant regulatory authorities, it said – in Europe, those regulators can impose substantial fines for such breaches, under new data protection regulation.
It also said it had set up a dedicated website and call centre for customers who fear their data might have been part of the hack, and will start sending out emails to customers immediately. Customers will also be given a year’s free access to a monitoring service, which will crawl the internet to see if their personal information is being shared.
Marriott bought Starwood in 2016, adding a host of luxury hotels and resorts and creating what it said was “the world’s largest and best hotel company”.