Marriott hacking exposes data of up to 500 million guests – the breach goes unnoticed for four years

The hotel chain asked guests checking in for a treasure trove of personal information: credit cards, addresses and sometimes passport numbers. On Friday, consumers learned the risk. Marriott International revealed in a statement that hackers had breached its Starwood reservation system and had stolen the personal data of up to 500 million guests.

The assault started as far back as 2014, and was one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected three billion user accounts and larger than a 2017 episode involving the credit bureau Equifax, according to The New York Times.

The intrusion was a reminder that after years of headline-grabbing attacks, the computer networks of big companies are still vulnerable.

The Starwood attack happened roughly the same time as a number of other breaches at American health insurers and government agencies, including the United States Office of Personnel Management, in what security research firms and government officials described as an effort to compile a vast database of personal information on potential espionage targets.

Experts don’t know if the Starwood attack was connected to those other episodes. But Starwood’s data has not popped up on the so-called dark web, according to Recorded Future, a cybersecurity firm, and Coalition, a cyber insurance provider, which suggested that the hotel attackers weren’t looking to sell what they took.

“Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes,” said James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington.

The breach hit customers who made reservations for the Marriott-owned Starwood hotel brands from 2014 to September 2018. The properties include Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Element and the Luxury Collection.

Marriott hotels, including Residence Inn and the Ritz-Carlton, operate on a separate reservation system. The company has plans to merge that system with Starwood’s.

The names, addresses, phone numbers, birth dates, email addresses and encrypted credit card details of hotel customers were stolen. The travel histories and passport numbers of a smaller group of guests were also taken.

Marriott said it had set up a dedicated website and call center to deal with guests and said it would try to reach affected customers on Friday to inform them of the breach. The site was having problems staying online shortly after the attack was announced.

The company is offering one year of free enrollment in a service called Web Watcher to people who live in the United States, Canada and Britain. Marriott described it as a service that keeps an eye on websites where thieves swap and sell personal information and then alerts people if anyone is selling their information.

“We deeply regret this incident,” Arne Sorenson, Marriott’s president and chief executive, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves.”

The intrusion went unnoticed for four years by Starwood, which was acquired by Marriott in 2016 for $13.6 billion. It was uncovered in early September, when a security tool alerted Marriott officials to an unauthorized attempt to access Starwood’s guest reservation database. The alert prompted Marriott to work with outside security experts, who discovered that the hackers had grabbed a foothold in Starwood’s systems starting in 2014.

On Nov. 19, digital forensics experts uncovered the full scope of the attack. It was the second major security breach Starwood has reported. Its cash register systems were penetrated in 2015.

The Federal Bureau of Investigation said in a statement that it was aware of the breach and was tracking the situation. It added that any suspected instances of identity theft should be reported to the F.B.I.’s Internet Crime Complaint Center at www.ic3.gov.

The breach could get expensive for Marriott. Verizon cut what it paid to acquire Yahoo by $350 million after the internet company reported its breach in 2016. And Equifax reported recovery costs of $400 million from its 2017 incident, which affected 148 million people.

Despite months of due diligence, finding out there was a major network attack long after a deal closes is “everybody’s worst-case scenario,” said Jake Olcott, vice president at BitSight, a computer security ratings company in Boston.

Several lawsuits were filed against Marriott on Friday, and investigations were announced by New York’s attorney general, Barbara D. Underwood, and European regulators.

In Europe, where companies can be fined up to 4 percent of global revenue under data protection laws, companies must alert government authorities within 72 hours of a known breach.

Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott “has the potential to trigger the first hefty G.D.P.R. fine,” said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data protection law enacted this year.

Privacy advocates said there was no excuse for a breach to go unnoticed for four years.

“They can say all they want that they take security seriously, but they don’t if you can be hacked over a four-year period without noticing,” said Gus Hosein, executive director of Privacy International, a group that supports strong data protection laws.

Marriott told shareholders that it did not expect the breach would affect the company’s long-term financial prospects. The company’s share price was down more than 5 percent on Friday.