Contact Us

Massive Marriott Hack Goes Way Back

Marriott International has been subjected to a massive data breach involving its Starwood guest reservation database that goes back at least four years, well before Marriott's 2016 acquisition of Starwood, according to the company's recent filing with the Securities and Exchange Commission.

Courtyard by Marriott in downtown Santa Monica, Calif.

"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," Marriott said in a statement.

"For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences."

Also, according to Marriott, some payment card numbers and payment card expiration dates were part of the stolen data, though they are encrypted. There are two components needed to decrypt the payment card numbers, but the company hasn't ruled out the possibility that both were taken.

Marriott will begin emailing guests affected by the breach and has also created an informational website and a call center to handle inquries.

The 8-K filing didn't detail how much dealing with the data breach might cost the hotelier. 

According to Baird Equity Research, direct costs to Marriott will include increased near-term technology and legal costs to resolve the breach, increased cybersecurity costs over the long run, and the near-term cost of a one-year enrollment in WebWatcher for affected guests in the U.S. 

The hotel giant also faces legal problems over the breach, including the threat of lawsuits and penalties for violating of the European Union's recently enacted General Data Protection Regulation.

KPMG's Mark Thompson, the global lead for the company's Privacy Advisory Practice, told CNN Business that GDPR penalties will likely be slapped on the company.

Marriott acquired Starwood for $13.6B following an intense bidding war between Marriott and China’s Anbang Insurance, which bid higher but then backed out. The deal received antitrust clearance about two years ago.

The entity created by the deal is the world's largest hotel company. Maryland-based Marriott currently has 30 brands and more than 6,700 properties. It reported revenues of more than $22B in fiscal 2017.