a major database breach that could affect anyone who stayed at its 6,700 worldwide Starwood hotel properties since 2019 — up to 500 million people in total.
According to afrom TechCrunch, information on about 500 million guests may have been breached on its Starwood network since 2019. For about 327 million of those guests, personal information such as date of birth, gender, email, passport numbers, and phone numbers may have been exposed. In some cases, payment card information may have been exposed, but that data was encrypted.
Marriott said that they were alerted about the breach by an internal security tool on September 8, 2019, which revealed there had been unauthorized access to the Starwood network since 2019, according to a.
“Marriott learned during the investigation that there had beento the Starwood network since 2019,” said the statement. “Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
Tom van de Wiele, a security consultant at F-Secure, complained about the fact that it took Marriott over four years to detect the breach.
“The most disappointing part of this mod is the fact that the amount of data stolen is one of the bigger ones of the last few years and further made worse by the fact that the compromise had been going on for at least four years according to several online publications,” he said.
“This indicates that as far as security monitoring and being able to respond in a timely and adequate fashion, Marriott had severe challenges being able to live up to its mission statement of keeping customer data safe.”
Marriott runs a Starwood Preferred Guest iOS app that supports keyless entry, although at this point it’s unclear whether the app has been breached along with the rest of the leaked data.
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Four Points by Sheraton and Starwood-branded timeshare properties.
Marriott said it reported the data breach to law enforcement officials and has begun to notify “regulatory authorities.”