In perhaps one of the biggest and extensive data breaches, Marriott International, the American hospitality group and the largest hotel chain in the world has admitted to a data breach affecting up to 500 million hotel guests over a period of four years. The Marriott data breach dates back to 2014.

The Marriott Hotel chain has said data from customers at Starwood Hotels has been breached and the personal information of the guests who stayed at Starwood Hotels between 2014 and 2018 may have been stolen.

The Marriott International data breach is so far the second-largest theft of personal data in history, with the Yahoo breach of 2017 that affected more than 3 billion accounts preceding it.

Customers in the US have sued the global hotel chain Marriott seeking $12.5 billion in damages.

List of affected Starwood hotels 

• W Hotels
• St. Regis
• Sheraton Hotels & Resorts
• Westin Hotels & Resorts
• Element Hotels
• Aloft Hotels
• The Luxury Collection
• Tribute Portfolio
• Le Meridien Hotels & Resorts
• Four Points by Sheraton and Design Hotels
• Starwood-branded timeshare properties

What does Marriott say?

Marriott International revealed on November 30 that its guest reservation system was hacked, exposing the personal information of approximately 500 million guests.

Marriott says it became aware of the breach on September 8 when an internal security tool signalled a potential breach.

Marriott has been sending emails to the affected people.

The data stolen included information such as passport numbers, emails, date of birth, gender, and mailing addresses.

According to Marriott, the breach involved unauthorised access to a database containing guest information tied to reservations made at Starwood properties on or before September 10, 2018, and that its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

Personal information stolen in data breaches can often make its way to the black market where it can be purchased and used to execute a variety of attacks on individuals including identity theft and targeted email phishing schemes.

Remedies suggested by cybersecurity experts

Stating that questions should be asked as to how 500 million guests were affected by this cyber-attack, David Emm, Principal Security Researcher at Kaspersky Lab, says it is only beginning to assess the true extent of the attack, adding that the security solutions at the Starwood Hotels and Marriott Group weren’t sufficient enough if it allowed an unauthorised third-party to get into the system.

“This data breach is now one of the most critical data-breaches in history. Not only is the amount of the information stolen terrifying, but the personal details that were exposed are essentially a database of very personal resumes of millions of people, in some cases accompanied by their credit card details. This opens the possibility of multiple threats, from spear-phishing attacks to cyber espionage,” says Emm.

He adds: “Consumers who are concerned about their data will receive a notification if they’ve been affected, but we urge those who are concerned to proactively check with Marriott Group.”

Warning consumers to remain vigilant, Emm says these types of breaches may present scammers with an opportunity to try and scam people by pretending to be from the ex-Starwood Hotels chain or Marriott Group.

“Our advice to people is to definitely change your passwords and use electronic cards, not physical ones, for online payments,” suggests Emm.

John Shier, a senior security advisor at cybersecurity firm Sophos, says: “The potential fallout from the Marriott’s Starwood data breach should be alarming to anyone who has stayed at a Starwood property in the last four years. Not only are guests at risk for opportunistic phishing attacks, but targeted phishing emails are almost certain, as well as phone scams and potential financial fraud. Unlike previous breaches, this attack also included passport numbers for some individuals who are now at increased risk for identity theft. At this point, however, it’s unclear what level of exposure each individual victim has been subject to. Until then, all potential victims should assume the worst and take all necessary precautions to protect themselves from all manner of scams.”

Sophos has a few tips to offer on what people can do if they fall victim to such scams.

1. Be on alert for spearphishing: Marriott has said personal details associated with the Starwood Preferred Guests accounts have been compromised and personal email addresses are vulnerable. This creates the perfect scenario for cybercriminals to actually spearphish consumers because they have this type of detailed information. In spear phishing, an email appears to come from an organisation that is closer to the target, such as a particular company. The hacker’s goal is to gain access to trusted information.

2. Be on alert for opportunistic phishing: Marriott has said it will email Starwood Preferred Guests who may be impacted. Do not click on links in emails or other communication that seem to have come from Marriott or Starwood Hotels. It’s possible that criminals will try to take advantage of this by sending malicious tweets or phishing emails that look like they’ve come from the company. Hover over URLs and links to see the address before you click. Look at the email address to see where it is from.

3. Monitor your financial accounts: Reports indicate that the attackers may have access to some members’ encrypted credit card information, but it’s not clear as of yet if this information can be decrypted; in general, monitor your credit card for suspicious activity. As a safety precaution, change the password to your online credit card account. If you use the same password for similar financial management websites, immediately change the password on those websites. As a best security practice, always choose a different, strong password for each sensitive account.

4. Change passwords (as a precaution): It’s not clear as of yet if the attackers have access to Starwood Preferred Guest account passwords, but as a safety precaution, consumers can change their password. If this password is also used for any financial accounts, change those immediately. Monitor your Starwood Preferred Guest account for suspicious activity.

5. Don’t Google ‘Web Watcher’: Marriott is offering victims in the USA, the UK, and Canada a free, one-year subscription to something it calls WebWatcher, which it describes as a service that monitors “internet sites where personal information is shared.” Don’t Google it. If you Google “WebWatcher,” you won’t find the monitoring service, you’ll find lots of links to spyware of the same name. Don’t sign up for that. Do follow the links to country-specific versions of the official breach site. You cannot sign up for monitoring from the main breach page, you have to go to the all-but-identical versions of the page for the US, UK, or Canada.