500 million customers affected in massive Marriott hack

The records of 500 million customers of Marriott Hotel Group have been leaked in a huge data breach, with payment details included

The records of 500 million customers of Marriott Hotel Group have been leaked in a huge data breach.

The hotel group admitted the compromise of its guest reservation database in its Starwood Hotels and Resorts division by an unnamed third party.

The attackers gained initial access approximately four years ago, in 2014, and are believed to have had continuing access to the database since then.

The hotel brands affected, which use the same reservation database, include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton.

Marriott-branded hotels use a different reservation system on a separate network.

Marriott says that it discovered the hack in September 2018.

"On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database," it announced on a website set up to notify affected parties of the breach.

It continued: "Marriott quickly engaged leading security experts to help determine what occurred.

"Marriott learned during the investigation that there had been unauthorised access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.

"On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."

It further added that 500 million guests are affected, with payment details included in the breached data.

"Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.

"For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

"For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)."

It concluded, saying that it regrets the incident.

"Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts.

"Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve.

"Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."

In a statement, the UK's Information Commissioner's Office said:

"We have received a data breach report from Marriott involving its Starwood Hotels and will be making enquiries. If anyone has concerns about how their data has been handled they can report these concerns to us."