In 2016, Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion.On September 8, Marriott discovered the breach this year after it received an alert from an internal security tool “regarding an attempt to access the Starwood guest reservation database in the United States.”
On November 19, the company said that it obtained and decrypted the database and “determined that the contents were from the Starwood guest reservation database.”
Hackers have stolen some sensitive personal information of nearly 327 million guests. The data includes their names, phone numbers, email addresses, mailing addresses, dates of birth, passport numbers, genders, reservation date, arrival and departure information and communication preferences.The most worrying thing is they have also stolen some user’s payment card numbers and payment card expiration dates.
But, according to the company, “the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” Attackers must need two components to decrypt the payment card numbers, and “at this point, Marriott has not been able to rule out the possibility that both were taken.”
The company has begun notifying law enforcement and regulatory authorities of the incident and continues to support their investigation.Since the data breach falls under the European Union’s General Data Protection Regulation (GDPR) rules, Marriott could face significant financial penalties of four percent of its global annual revenue.
