On Friday, November 30, Marriott revealed that cybercriminals have compromised the personal details of around 500 million Starwood guests — making this one of the biggest data breaches in recorded history. Here’s what we know about this rapidly developing story.
Details of the breach
According to an official statement released November 30, Marriott first learned of a potential vulnerability on September 8, 2018. An internal security tool warned that an unauthorized party was trying to access sensitive information.
After launching an investigation, Marriott learned that cybercriminals have been abusing the Starwood reservation database since 2014. This date is particularly striking because Marriott didn’t even acquire Starwood until two years later in 2016.
Since 2014, thieves have been able to repeatedly access, encrypt, and download mass amounts of customer data. In total, the company fears that half a billion customers may have had their sensitive data compromised.
In addition to outlining a timeline of the breach discovery, the hotel chain also issued a brief statement from President and CEO Arne Sorenson:
“We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
What types of data were compromised
While the volume of compromised data is certainly shocking, the types of data compromised are equally concerning. According to Marriott, 327 million users had some combination of the following details compromised: name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
That’s not all.
Cybercriminals accessed some guests’ payment card numbers and payment card expiration dates, although Marriott didn’t provide an estimate for how many guests this might entail. After announcing that card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), they warned that guests may not be 100 percent in the clear:
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
Starwood is offering a free year of WebWatcher, which offers only dark web monitoring, insurance, and identity recovery, however as of this morning, enrollment attempts resulted in unknown errors. All PrivacyArmor members not only already have all of those services, but they also have extensive credit monitoring, financial monitoring, and access to proprietary dark web monitoring. All PrivacyArmor members will also have received alerts for accounts or activity on their identity that occurred over the four years that this Starwood information has been available.
New PrivacyArmor Plus features — live now!
The massive scale of this breach has prompted us to release a new feature earlier than anticipated. As of now, PrivacyArmor Plus will have access to unlimited TransUnion credit reports and scores. This means you can access this information at any time. This feature was originally scheduled to go live in January 2019, however we have pushed it up to allow you more time to examine your credit reports for any abnormal accounts that may be a result of this breach.