A major investigation is underway in the US after the Marriott hotel chain revealed a massive data breach affecting the personal details of up to 500 million guests who made reservations at its Starwood properties.
According to a statement released on Saturday (Friday local time), the US company said they had discovered unauthorised access to the reservation database.
“We fell short of what our guests deserve and what we expect of ourselves,” chief executive Arne Sorenson said.
“We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The hack, among the largest ever disclosed, prompted a big drop in Marriott shares and the New York Attorney General to open its own investigation.
Attorney General Barbara Underwood said residents need to know that their personal information is safe.
We’ve opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected.
— NY AG Underwood (@NewYorkStateAG) November 30, 2018
The discovery came as part of an investigation earlier this month, which had been looking at a cyber attack dating back to 2014.
The company believes the breach affected “up to approximately 500 million guests who made a reservation at a Starwood property”.
For around 327 million of those people, the duplicated information includes some combination of name, address, phone number, email, passport number, and other personal details, as well as details of their stay, the statement said.
Credit card numbers and expiration dates of some guests may have been taken.
Marriott first became suspicious of a possible hack in September after receiving an alert from an internal security tool.
The investigation found the thieves copied and encrypted information, and took steps towards removing it.
Last week the company was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
In addition to Westin, Sheraton and St Regis, the Starwood chain of hotels includes Le Meridien and W Hotels.
Guests of the hotel chain took to Twitter to express their outrage and concern, describing the breach as “huge” while others suggested changing your date of birth to make it difficult for hackers, “Congrats on your new birthday”.
One angry user said: “I’m just going to post my info out on 4chan and get it over with”.
Lawyers have already seized on the data breach, announcing lawsuits have been lodged against Marriott.
BREAKING: Following a #databreach that compromised the personal information of 500 million customers who made reservations at #Starwood properties, we have filed a class action lawsuit against Marriott. #ForThePeople #LAW pic.twitter.com/ykYeAxSMMS
— Morgan & Morgan (@forthepeople) November 30, 2018
Marriott purchased Starwood in 2016 and apparently the security vulnerability came along with the purchase. The Starwood IT system is to be discontinued.
Marriott latest to fall victim to hackers
Marriott, one of the world’s largest hotel chains, is the latest corporation to fall victim to a hacker attack.
Internet service provider Yahoo was attacked in 2013 by unknown hackers who gained access to 3 billion user accounts, including names, email addresses, telephone numbers and passwords.
On Friday, Marriott announced a massive hack that impacts as many as 500 million customers who made a reservation at a Starwood hotel. It’s one of the largest breaches in history. Here’s what you need to know: 1/ https://t.co/ydC1k2ZQBm pic.twitter.com/v5miITMcm4
— WIRED (@WIRED) November 30, 2018
A hack into eBay’s system, details of which became public in May 2014, compromised the data of about 145 million customers, including email and residential addresses, as well as log-in information.