A breach of a guest reservation database of the Starwood division of the Marriott International hotel group highlights basic personal data protection failures
Marriott International, which is the latest hotel group in a long and growing list to admit to a personal data breach, has warned guests that a database of its Starwood division has been compromised and that up to half a billion records may have been exposed.
The group said in a statement on its website that it has taken measures to investigate and address the security incident affecting reservations at Starwood properties between 2014 and 10 September 2018, which could have serious repercussions for the business in terms of fines for breaching data protection regulations around the world.
This means the hotel group has taken 20 days to alert those affected by breach while it has conducted an investigation to determine what occurred.
Simon McCalla, chief technology officer (CTO) of Nominet, said the fact that it took Marriott 4 years to identify the breach paints a grim picture of the security system they had in place and how susceptible they were to threats from outside the business.
“Ensuring threat monitoring and security systems are able to catch threats when they first interact with your critical systems is vital. Proactive defence is better than retrospective,” he said.
Joseph Carson, chief security scientist at Thycotic, said the breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU’s General Data Protection Regulation (GDPR), which imposes financial penalties of up to €20m or 4% of annual turnover.
The hotel group said it has not yet completed identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests.
For approximately 327 million of these guests, the information includes some combination of name, postal address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” the hotel group said.
For the remaining guests, the information was limited to name and sometimes other data such as postal address, email address or other information.
Security commentators have described the compromised information as a potential “goldmine” for cyber criminals to commit fraud and other crimes, and said the breach should serve as a “wake up call” for all businesses to take the security of customers’ data more seriously.
