At a Glance:
Marriott, the largest hotel chain, announced a data breach exposing private data of 500 million guests on Friday. Marriott is an international hotel chain and its brands include W Hotels, St. Regis, Sheraton Hotels, Starwood Hotels, Westin Hotels, Element Hotels, Aloft Hotels, Le Méridien Hotels to name a few. Marriott Data Breach is considered to be the second biggest data breach following the Yahoo breach that exposed personal details of 3 billion users.
The Big Picture:
Marriott announced a data breach due to which sensitive personal information of 500 million guests of its Starwood Hotels were stolen. The international hotel chain said that it became aware of the breach on September 10, 2018 but the investigators had discovered the breach to have occurred in 2014.
- How did they find the breach? On September 8, 2018, Marriott’s staff came across a warning alert from an internal security tool to access the Starwood guest reservation database in the United States. Marriott investigated with leading security experts and two days later they discovered that the data breach dated back to 2014.
- What was stolen? According to Marriott, the stolen data includes names, dates of birth, passport numbers, contact details such as phone numbers, email ids, and addresses, and payment card information such as credit card numbers and expiration dates, but the payment card numbers are encrypted using AES 128 to protect the sensitive information.
- How many users’ financial data has been compromised? Marriott is not sure on hackers getting access to the financial data but that being possible, the hotel chain estimates the number to be not more than 327 million users.
- What are the immediate measures taken? The hotel chain managed to decrypt the data hackers stole from the Starwood Reservation Database.
- Who filed the lawsuit? Just within few hours of announcement, three plaintiffs – two from Oregon and one from Maryland filed a class-action lawsuit against Marriott. The two plaintiffs from Oregon – Chris Harris and David Johnson claimed $25 billion to compensate the losses. More lawsuits are expected to be filed in the coming months.
- What are the short-term aftermath of the breach? Marriott upon announcing the breach, found its share dropping to a maximum of 8.7 percent but its share is now 5 percent down compared to Thursday's closing price.
- What does Marriott have to say about the breach? Arne Sorenson, Marriott’s President and CEO, said ‘We deeply regret this incident. We’re doing our best to support our guests and using lessons learned to be better moving forward’.
He added that Marriott is working hard to ensure all our guests’ questions regarding their personal data are answered through a dedicated website and call center.
We are working closely with the leading security experts to tighten security and to support the efforts of law enforcement. We are devoting the resources necessary to improve security enhancements to our systems and network, he added.