It’s been a couple of months since a major company unveiled a data breach that affected millions of people, so it’s time for a new one. The Marriot hotel chain has announced a major database breach that could affect anyone who stayed at its 6,700 worldwide Starwood hotel properties since 2014—up to 500 million people in total.
That’s a lot of people an a long stretch of time, so check out our FAQ for all of the information:
Marriott says it received an alert from an internal security tool on September 8 warning of an attempt to access the Starwood guest reservation database in the United States. In its investigation of the incident, Marriott learned that an unauthorized party gained access to the company’s customer database and “copied and encrypted information, and took steps toward removing it.”
How did the hackers get in?
Marriott isn’t being totally clear here, but it appears as though this wasn’t the usual exploit of a vulnerability. Rather, someone without the proper credentials was able to access the Marriott reservation database to make a duplicate encrypted copy of customer information, which was then presumably taken outside the system.
How far back does the breach go?
Marriott says the unauthorized access goes back to 2014.
Why wasn’t Marriott alerted sooner?
Also unclear, but perhaps the unauthorized party only recently started accessing the system. Or possibly Marriott recently installed new security software that was able to detect the access.
Why are we just hearing about now?
Marriott says it was only able to decrypt the files on November 19, and is still working to uncover the scope of the breach.
What was stolen?
Marriott is still sorting through the data it was able to recover, but for most customers, the following data may have been stolen: name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, and arrival and departure information, along with reservation dates and communication preferences.