There were a report of 500 millions of clients of the hotel group Marriott that were compromised in the data breach.
The chain hotels Marriott International has revealed that the reservations database of their Starwood division had been compromised by unauthorized third parties. According to an internal investigataion by the digital forensic experts, an attacker gained access to the Starwood’s database since 2014.
Marriott International affirms that they’re notificating all the users affected by the database breach.
Starwood was absorbed by Marriott in 2016, so it became the biggest hotel chain in the world, counting more than 5800 stablishments worldwide. The Starwood division includes brands like W Hotels, sheraton, Le Meridien and Four Points by Sheraton. The hotels of Marriott’s brand use a separated reservation system in a different network of the other brands of their property.
Marriott said that their digital forensic team detected that a third party was trying to access to the database in Starwood. Continuing their investigation, the company discovered that “an unauthorizhed actor copied and encrypted the information”.
According to the estimations of the company, the compromised database contains records of all of the 500 millions of affected clients, which ones around 320 millions of records included information like the client’s name, adress, phone numbers, email, passport number and information of the user’s account.
In some cases, the clients’ records also included encoded information about paycards, however it isn’t discarded yet the possibility of the coded keys could ahve been stolen too.
“We are terrible sorry about this incident. Marriott has already reported this attack to the authorities and will keep helping in the investigation”, said a message from the company.
The company has created a site to attend to the anxiety of the worried users by the status of their personal information. According to digital forensic experts, the company will offer to the affected clients 1 year of an anti fraud protection service for free.
By the other hand, the Information Commissioner Office (ICO) of the UK said: “We receive a report of a data breach in Marriott that involves the brand Starwood. If any user has doubts about the treat the company has given to their personal data, can ask ICO.
Although this is not the biggest data breach known, it is surely one of the worsts. Attackers not only accessed and copied 500 millions of records, but they were in the systems of Starwoord for nearly 3 years. And, even being encrypted the information of the paycards, digital forensic experts of the Internation Cybernetic Security Institute dont discard that the keys have also been stolen.
Although, the main headquarters of Marriott are in the USA, the hotel group must fulfill with the General Data Protection Regulations (GDPR) of the UE, because the company works with the personal information of the citizens in the european community. Even this incident being investigated by the ICO, the company could be punished according to the rules of the GDPR.
Besides, this incident could provoke the propagation of phising or extortion campaigns thanks to the compromised information, so the problems for this hotel chain have only begun. By the other hand, Marriott says that they won’t send any notification email with added files, besides they won’t ask for any information about their clients this way.