A massive Marriott data breach has been detected which could affect as many as 500 million individuals who previously made bookings at Starwood Hotels and Resorts. While the data breach is not the largest ever reported – The 2013 Yahoo breach exposed around 3 billion records – it shares second place with the 2014 Yahoo data breach that also impacted around half a billion individuals.
Largest Ever Hotel Data Breach
The Marriott data breach may not have affected as many people as the 2013 Yahoo data breach but due to the types of information stolen it is arguably more serious. Approximately 173 million individuals have had their name, mailing address, email address stolen and around 327 million individuals have had a combination of their name, address, phone number, email address, date of birth, gender, passport number, booking data, arrival and departure dates, and Starwood Guest Program (SPG) account numbers stolen. Further, Marriott also believes credit card details may have been stolen. While the credit card numbers were encrypted, Marriott cannot say for certain whether the two pieces of information required to decrypt the credit card numbers was also obtained by the hacker.
In addition to past guests at Starwood Hotels and Resorts and Starwood-branded timeshare properties, guests at Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels, St. Regis, Aloft Hotels, Element Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, and Four Points by Sheraton have been affected, along with guests at Design Hotels that participate in SPG program.
The data breach was detected by Marriott on September 8, 2018, following an attempt by an unauthorized individual to access the Starwood database. The investigation revealed the hacker behind the attack first gained access to the Starwood database in 2014. It is currently unclear how access to the database was gained.
The Marriott hotels data breach is naturally serious and will prove costly for the hotel group. Marriott has already committed to offering U.S. based victims free enrollment in WebWatcher, has paid for third party experts to investigate and help mitigate the data breach, and the hotel group will be bolstering its security and phasing out Starwood systems.
Even though the Marriott hotels data breach has only just been announced, two class action lawsuits have already been filed. One of the lawsuits seeks damages totaling $12.5 billion – $25 per breach victim.
There is also a possibility of a E.U. General Data Protection Regulation (GDPR) fine. Fines of up to €20 million are possible, or 4% of global annual turnover, whichever is greater. That could place Marriott at risk of a $916 million (€807 million) fine. The UK’s Information Commissioner’s Office – the GDPR supervisory authority in the UK – has been notified of the breach and is making enquiries.
Harder to calculate is the damage to the Marriott brand. Share prices dropped by 8.7% following the Marriott data breach announcement, and they are currently around $5 down. While share prices will likely recovery over time, the breach will almost certainly result in loss of business.
Risk of Marriott Data Breach Related Phishing Attacks
Email notifications sent to breach victims by Marriott came from the domain: email-marriott.com. Rendition Infosec/FireEye researchers purchased the domains email-marriot.com and email.mariott.com shortly after the announcement to keep them out of the hands of scammers. Other similar domains may be purchased by less scrupulous individuals to be used for phishing.
A breach on this scale is also ideal for speculative phishing attempts that spoof the email domain used by Marriott. Mass email campaigns are likely to be sent randomly in the hope that they will reach breach victims or individuals that have previously stayed at a Marriott hotel or one of its associated brands.
Consequently, any email received that is related to the breach should be viewed as potentially malicious.