Marriott hack exposes data of 500 million customers
Hotel giant Marriott has announced that 500 million customers’ data has been stolen, a result of a four-year hack into its systems.
Marriott first received an alert into possible unauthorised access to its system in September 2018, but only alerted customers to this fact on 30 November after a 2-month internal investigation.
Of the 500 million customers, 173 million only had their names and address or email address stolen. A further 327 million had more information stolen, including a combination of their gender, date of birth, trip details and passport number. While the hotel chain still isn’t sure if credit card information was stolen, as all credit card information is encrypted, it warns that the card decryption keys were possibly stolen too.
In its investigation Marriott found out the issue had been ongoing for four years, beginning in 2014 with an initial hack into the Starwood hotel chain. In 2016 Starwood was acquired by Marriott, although Marriott claims only customers of the Starwood hotels had their information stolen.
In its announcement of the hack, Marriott linked to a dedicated help site for customers who are worried they could be victims. In addition, it has opened a call centre for those who may have lost faith in the security of online interactions after the hack.
As the Marriott chain operates globally, many data agencies have been quick to open investigations into the hack. In the UK the ICO has said it is “making enquiries.” It advises potential victims “to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online.”
While the Marriott hack isn’t the biggest hack of all time, with Yahoo’s 2013 breach losing information on six times as many accounts, it’s the largest by a non-digital business. It’s also one of the longest, and the four years’ access the hackers had exacerbated the scale of the breach significantly.