WASHINGTON - Marriott International, one of the world's largest hotel chains, revealed Friday that its Starwood reservations database had been hacked and that the personal information of up to 500 million guests could have been stolen.
The data breach involved information mined from the database for Starwood properties, which include Sheraton, Westin and St. Regis hotels. An unauthorized party had accessed the database since 2014, company officials said. The breach included names, email addresses, passport numbers and payment information, according to the hotel giant.
"We deeply regret this incident happened," Arne Sorenson, Marriott's chief executive, said in a news release. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
With the information of 500 million people having been compromised, Marriott's breach is second only to Yahoo's breaches in 2013 and 2014, which affected 3 billion user accounts. The company said that it reported the breach to law enforcement and is notifying regulatory authorities.
The suburban Bethesda-Maryland-based hotel chain has set up a website and call center to answer questions at info.starwood.com, and it is emailing affected guests beginning Friday.
News of the breach sparked questions among cybersecurity experts about whether the hackers were criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide, including possibly diplomats, business people or intelligence officials as they moved around the globe. Hotel chains, with their vast customer databases and proprietary WiFi networks, likely make appealing targets.
"We know that the hospitality business is a very attractive target for nation states," said Thomas Rid, a political-science professor at the Johns Hopkins School of Advanced International Studies who specializes in cybersecurity issues. "You can more easily hack some high-value targets from within a hotel WiFi."
Security experts also questioned the extent and quality of the encryption used by Marriott. The news release specified that the company used encryption to protect credit card numbers, but Connie Kim, a Marriott spokeswoman, declined to comment on whether other personally identifiable information --including names, addresses, phone numbers, email addresses and passport numbers -- was protected in this way, as security experts recommend.
The company acknowledged, however, a possible failing in the encryption security it had for credit card numbers, saying that it could not "rule out the possibility" that encryption keys were taken by hackers, allowing access to massive troves of data. The most secure systems lock up data with encryption keys and also make sure those keys are stored safely.
"The fact that they can't rule out that the keys were taken sounds like a problem," said Matthew Green, a Johns Hopkins University cryptographer.
For most customers, the likeliest risk from the breach is identity theft. Such detailed personal information would make it easier for criminals to impersonate others for the purpose of conducting banking transactions, applying for government benefits or even seeking to enter secure facilities that require official identification, such as passports.
Unlike some other major hacks -- such as last year's breach of credit-rating agency Equifax, which affected more than 145 million people -- there is no report suggesting that Social Security numbers were exposed in the Marriott breach. But the company said that for about 327 million customers, details on where and when people stayed at various hotels may have been revealed, giving the hackers information on the travel logistics of individuals.
Marriott said Friday that it had learned on Sept. 8 that an unauthorized party had access to its systems, but the hackers were able conceal the exact nature of what they were accessing by doing their own form of encryption of the stolen data as they tried to remove it. That made it harder for the company to determine the nature of the breach. Marriott was not able to decrypt what was stolen until Nov. 19.
Investigators discovered that the hackers had access to Starwood's system since 2014. When Marriott acquired Starwood in 2016, the breach went undetected during the merger and for years afterward.
"Marriott now faces brand and reputational damage, regulatory oversight and legal issues as the result of a cybersecurity incident that occurred two plus years before they announced the acquisition of Starwood," Jeff Pollard, vice president and analyst at Forrester said in an email. "It highlights the importance of robust cybersecurity due diligence during the acquisition process."
In a filing reporting the breach to the Securities and Exchange Commission, Marriott said that while it was too early to estimate the financial impact of the breach on the company, it didn't anticipate it would effect Marriott's "long-term financial health."
In 2015, Starwood, along with other luxury hotel brands such as the Trump Collection and Mandarin Oriental, fell prey to credit card breaches. Malware aimed at stealing credit and debit card information was found on payment systems at restaurants and stores in 54 Starwood hotels in North America, according to an online letter from company president Sergio Rivera. That breach happened just days after the Marriott acquisition was announced.
On Friday, New York Attorney General Barbara Underwood, Maryland Attorney General Brian Frosh and Pennsylvania Attorney General Josh Shapiro all said their offices had opened investigations into the recently disclosed breach.
For about two-thirds of compromised guests, the information exposed was strictly personal: birthdays, gender, email and mailing addresses, and phone numbers. Passport numbers were also exposed for some customers, which could pose a huge threat in terms of fraud and identity theft. In last year's Equifax breach, passport information from 3,200 people was stolen. Kim, the Marriott spokeswoman, declined to specify how many customers' passport information was compromised but said it was a "smaller subset."
The Federal Trade Commission, which oversees the cybersecurity standards of companies, is likely to investigate the Marriott breach, said David Vladeck, former director of the FTC's Bureau of Consumer Protection and now a Georgetown Law professor. The FTC declined to comment.
"My assumption would be this is something that the FTC would take a very serious look at," Vladeck said. "This is a massive breach. It's half a billion people!"
Credit card information, card numbers and expiration dates were stored using a more advanced encryption method. Still, Marriott said, it had "not been able to rule out" the possibility that card information had also been stolen.
"The apparent failure to detect and remove hackers from its systems for four years calls into question whether Marriott took the security and privacy of its customers seriously," said Sen. Richard Blumenthal, D-Conn., who has been pushing Congress to enact enforceable standards on consumer data privacy. "Once again, Americans are left to pay the substantial cost of corporate negligence."
Earlier this week, at a hearing on the FTC, Blumenthal blasted the agency for its failure to hold companies accountable for recent data breaches, underscored the need for Congress to act and outlined protections he believes national legislation should contain.
"We have seen this year that the misuse and abuse of our data represents a threat to consumer safety, but also national security, the defense of our nation, and the health of our democracy," Blumenthal said at the hearing. "We simply can't endorse the status quo."
The company has more than 6,700 properties around the world.
This article was written by Taylor Telford and Craig Timberg, reporters for The Washington Post. The Post's Tony Romm contributed to this report.