Published on : Monday, January 7, 2019
The hotel company conducted its own investigation. It was seen that there had been unauthorized access to the Starwood network since 2014. An unauthorized party had copied and encrypted information.
For about 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Clark Howard Channel 2 consumer adviser recommended being aware of ‘pre-texting emails’ that impersonate government officials, and Marriott.
For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption, AES-128. There are two components needed to decrypt the payment card numbers. So far, Marriott has not been able to rule out the possibility that both were taken.
Marriott reported this incident to law enforcement and is supporting their investigation. The company has already begun notifying regulatory authorities.
Arne Sorenson, Marriott’s president and chief executive officer regretted the incident and the fact that they fell short of guests’ expectation. They are learning lessons from the incident.
He added that Marriott is working to answer guests’ questions about their personal information, with a dedicated website and call center. The necessary resources are being used to phase out Starwood systems and to accelerate the ongoing security enhancements to their network. They will support the efforts of law enforcement and will work with leading security experts.