Marriott today announced a major data breach, perhaps one of the largest in history. This breach illustrates the often made point that breaches and intrusions happen and go unnoticed for months or years. Marriott’s breach involved an unauthorized party that copied and encrypted information in the Starwood reservations database back in 2014. When Marriott acquired Starwood in 2016, the breach went undetected as that merger went forward, only to be discovered in 2018. This breach should be a red flag for anyone involved in mergers and acquisitions that cybersecurity should be a top priority in the due diligence process.
The breach affects the Starwood guest reservation database for guests and reservations made at Starwood properties on or before September 10, 2018. Marriott stated that the database includes information on up to 500 million guests who made a reservation at a Starwood property. Initial reports from Marriott state that for up to 327 million people, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Marriott is also saying they can’t rule out whether credit card information was also compromised. Marriott immediately directed customers to a dedicated website that offers information about the breach, worldwide call center contact information, and credit monitoring information. Marriott has also stated that customers affected will receive email from a specific email address: firstname.lastname@example.org.