Marriott hotel chain admits data breach impacting 500 million guests over 4 years

By HUB SmartCoverage Team on December 3rd, 2018

The Marriott hotel giant revealed Friday that it had been the victim of one of North America’s latest hacking scandals, and one of the biggest. Marriott explained that the personal information of “up to half a billion people” who stayed at their hotels between the last four years had been compromised.   

According to MarketWatch, cybersecurity experts say Marriott missed “a significant chance to halt the breach years earlier” even though the company says it only learned of the “colossal theft of customer data” in recent weeks.

CBC refers to the Marriott breach as “the second-largest theft of personal data in history,” coming second to last year’s hacking of Yahoo that affected over three billion accounts.

The affected hotels are all owned by the Starwood chain and include:

  • W Hotels
  • St. Regis
  • Sheraton Hotels & Resorts
  • Westin Hotels & Resorts
  • Element Hotels
  • Aloft Hotels
  • The Luxury Collection
  • Tribute Portfolio
  • Le Meridien Hotels & Resorts
  • Four Points by Sheraton and Design Hotels
  • Starwood-branded timeshare properties

Marriott’s own hotel brand was not impacted by the breach because it operates on a different software system that was not victimized.

Anyone who was a guest at an above Starwood-owned hotel between 2014 and September 2018 may have had their data stolen, even in Canada.

Marriott claims it was made aware of the breach over two months ago on Sept. 8 when one of their security tools signaled a potential breach “but the company was unable to decrypt the information that would define what data had potentially been exposed.” The company has started to email all those impacted.

Some 327 million guests had “some combination of name, mailing address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation date and communication preferences stolen.”

Ted Rossman of says “The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted. People should be concerned that criminals could use this info to open fraudulent accounts in their names.”

Starwood and Marriott announced their merger in November 2015. The combined chain now has over 6,700 hotels around the world totaling more than 1.1 million rooms.

Marriott CEO Arne Sorenson was apologetic. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Share on social media