On Friday, Marriott International disclosed a massive breach of its Starwood reservation system that exposed the personal and financial information of 500 million guests. Stolen reservation records included names, addresses, dates of birth, passport numbers, email addresses, phone numbers, and encrypted credit card numbers of half a billion guests who stayed at Starwood properties over the past four years.
Marriott was alerted to a potential breach in September, prompting an internal investigation, the details of which were disclosed in a statement released on Friday morning. In the statement, Marriott said, “The investigation determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.” The company found evidence of unauthorized access to the reservation database dating as far back as 2014.
For 327 million customers, the information included a combination of name, address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, reservation date, and communication preferences. An unspecified number of records also included credit card numbers and expiration dates, financial information which was encrypted.
However, while financial information was encrypted, the company said in its statement that “there are two components needed to decrypt payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken”, making it unclear as to whether hackers have the keys necessary to decrypt the card data or not.
In response to the incident, Marriott has setup a dedicated website and call center for customers to contact with questions and is offering a free one-year subscription to WebWatcher. The hack is one of the most egregious of intrusions in a long litany of recent consumer data breaches, with Marriott joining the unenviable ranks of Yahoo and Equifax.
The New York Attorney General’s office has already announced an investigation into the breach, with Attorney General Barbara Underwood tweeting, “We’ve opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected.” And given the international scope of the data that was exposed, European regulators will most likely follow suit. Under the European Union’s newly implemented General Data Protection Regulation (GDPR), companies face fines of up to 4% of global revenue for failing to comply with data protection rules.
Bloom: Take Back Control of Your Data
At Bloom, we are giving you the tools to take back control of your data.
Bloom enables you to own, authorize the use of, and protect your data using the latest advancements in blockchain technology. With Bloom, the risk of your data being exposed in a data breach or leak is greatly reduced. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Your identity, and your highly sensitive personal and financial information, is securely safeguarded on your own personal device using cutting-edge cryptography.
More on Privacy and Data Security from Bloom
- Update: This Week in Data Breaches (Nov 27)
- Report: Failure at Facebook