Today, the world's largest hotel chain, Marriott International, disclosed what may be turn out to be one of the largest data breaches in history.
According to a disclosure from the hospitality giant, a data breach has exposed the personal identifiable information (PII) and financial information of up to 500 million customers who visited any of the chain's Starwood properties between 2014 and Sept. 10, 2018.
"On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States," wrote Marriott representatives in a statement from Marriott. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014."
In that database, hackers accessed the information of approximately 500 million guests. For 327 million of those guests, breached data included PII such as name, mailing address, phone number, email address, passport number, date of birth, gender, and more, according to a statement from Marriott. Customer payment card information, which was protected by encryption, was also accessed. At press time, Marriott has not determined whether or not hackers also accessed the encryption keys needed to access that data.
The network intruders encrypted all of the information that they pulled from Marriott's network, likely in an attempt to fool data-loss prevention (DLP) software, and Marriott has not yet been able to decrypt the full set of stolen information.
Marriott did not disclose when in 2014 the data breach began, but Starwood, which was acquired by Marriott in 2015, had a previous breach in November 2015, and the two breaches could be connected.
The previous breach involved the installation of malware of Point-of-Sale machines in Starwood restaurants and gift shops, and did not involve reservations systems.