Marriott says personal details of 500 million guests at risk after Starwood reservation database hacked

  • Investigation shows that an unauthorised party copied and encrypted information
  • Hotel chain discovered breach in September and will tell customers on Friday if they have been effected
PUBLISHED : Friday, 30 November, 2018, 8:29pm
UPDATED : Friday, 30 November, 2018, 10:33pm

Marriott International said on Friday that 500 million customers that had made bookings since 2014 may have had their personal data stolen, in one of the biggest hacks ever.

The hotel chain said the hack had affected the hotel reservation systems of its Starwood brand, which was sold to its larger rival in 2016.

Hongkongers who previously stayed at Sheraton, St Regis and W Hotel locations, and other chains that came under the Starwood umbrella, would start to learn on Friday if their data, and what kind of data, had been compromised, the global hotel group said in a statement.

For about 327 million of these guests, a combination of names, email and residential address, phone number, passport number, date-of-birth, hotel reservation information, and Starwood Preferred Guest loyalty card numbers were stolen.

For others, credit card details may have been compromised.

Regulators worldwide have taken a sterner view of hacking attacks, which have grown in scale over the years with more personal data stolen, with limited consequences for companies. Some three billion Yahoo customer accounts were breached in 2013.

In Europe, new data privacy regulation threatened companies with fines of up to 4 per cent of global revenue.

TransUnion forced to suspend online services over personal data security flaw

An investigation showed an unauthorised party had copied and encrypted information, something

Marriott learned in September, while its analysis showed the scale of the data theft had spanned four years.

“We deeply regret this incident happening,” said Arne Sorenson, Marriott’s President and CEO. “We fell short of what our guests deserve and what we expect of ourselves.”

The hotel group said it had reported the incident to law enforcement agencies, and begun notifying regulatory authorities.

Hong Kong’s privacy commission has already been notified of the breach by the hotel group, and said it had begun gathering information on the incident.

“We have received the data breach notification from the hotel group and our Privacy Commissioner Stephen Wong Kai-yi is very concerned because it may involve lots of personal data from customers in Hong Kong,” a spokeswoman said.

“The commission has contacted the hotel group and initiated a compliance check.”

Cathay Pacific data leak: what you need to know?

For concerned customers, a dedicated website and call centre has been set up to answer questions about the breach. Customers would also be given access to a product to monitor any misuse of personal data.

Marriott’s acquired Starwood hotel brands in Hong Kong include W Hotel in the International Commerce Centre in Kowloon, Le Meridien located in Cyberport, and the Sheraton in Tsim Sha Tsui.

The breach affecting Marriott draws some parallels with Cathay Pacific Airways, who saw 9.4 million customers’ data compromised between March and May this year, however, the airline only disclosed the breach in October.