Four years is a long, long time in the world of cybersecurity. But that’s how long hackers have been stealing data out from Marriott Hotels’ servers, according to an announcement from the company on Friday.
The hackers stole a bevy of personal data from customers who stayed at the chain’s Starwood properties on or before September 10. The breach impacted around 500 million guests, and for around 327 million of those, stolen data included the usual name, mailing and email address, and phone number, as well as more hotel-centric information, such as their passport number, reservation date, and arrival and departure information.
The announcement adds that “for some” customers, the stolen data also includes payment card numbers and expiration dates. Marriott’s announcement says that the payment card numbers were encrypted, but the hotel has not been able to rule out the possibility that the information needed to decrypt those was also taken. For the remainder, Marriott says only name, and sometimes mailing and email address address, or “other information” was taken.
“Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts,” Marriott’s announcement reads. “Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
In its investigation, which started on September 8 after an internal security tool found an attempt to access the Starwood guest reservation database, Marriott found that there had been unauthorized access to the Starwood network since 2014, the announcement added.
It is not clear what sort of hackers are behind the breach, be those financially motivated or those who were more interested in the data to monitor people of interest. Previously, cybersecurity researchers found that the Russian government linked hacking group APT28, or Fancy Bear, targeted hotels across Europe and the Middle East.
The lesson: Unfortunately, there is not all that much information for potential victims to act on at the moment, especially around whether your payment card details were stolen. In its announcement, Marriott said it has started sending out emails to people who were in the Starwood reservation database, so that will be the first point of contact to see if you are impacted. This isn’t the sort of breach where you necessarily have to go and change passwords, but it does potentially open up victims to forms of identity theft or fraudulent charges. Marriott is offering customers in the United States, United Kingdom, and Canada free access to a service for one year that monitors sites where personal information is shared, and which will send an alert if it detects the customer's. You'll need to sign up though, so if you're impacted it's best to check the announcement or your email inbox.