Skip to main content
close search
site logo
Dive Brief

Marriott's data breach hits fewer records than predicted, but brand is bruised

Published Jan. 7, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Marriott International, hotel
Retrieved from Marriott on December 03, 2018

Dive Brief:

  • After continued investigation, Marriott International identified about 383 million records "as the upper limit" for guests involved in the breach, as opposed to the initial 500 million disclosed in November, according to a company announcement Friday.
  • However, the hospitality company also found about 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were compromised. Marriott has yet to find evidence suggesting the unauthorized party had access to the master encryption key needed for the 20.3 million passport numbers.
  • About 8.6 million encrypted payment cards were involved, but Marriott found no reason to believe the intruder was able to access "components needed to decrypt" the cards.

Dive Insight:

The implicated server was inherited in the Starwood acquisition in 2016. The server had been unlawfully accessed since 2014.

When Marriott found the intrusion, the company discovered the perpetrators had worked on copying and encrypting the server's information and begun the process of removing it.

While investigations which include the Federal Bureau of Investigation continue, Marriott has "completed the phase out" of the compromised Starwood reservations database as of the end of 2018, according to the announcement. Reservations are now done under Marriott's server umbrella.

This is "another example of a merger and acquisition where testing the resiliency of the current security controls would have assisted in both the visibility of gaps and discovery that Starwood Hotels was already breached," said Stephan Chenette, CTO and co-founder of AttackIQ, in an email to CIO Dive. 

The fault of the breach lays solely on Marriott despite the vulnerability coming from property owned by Starwood. The intruders gained access to an elite class of customers and personal data, including mailing address, guest account information, arrival and departure information, communication preferences, and of course, email, gender, birth date, etc.

"Marriott will feel the burden of this breach through fines under GDPR and damage to their reputation, potentially causing customers to turn to their competitors," said Chenette. 

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell