The lodge chain requested company checking in for a treasure trove of private data: bank cards, addresses and typically passport numbers. On Friday, customers discovered the chance. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the non-public information of up to 500 million company.
The assault began way back to 2014, and was one of the most important identified thefts of private information, second solely to a 2013 breach of Yahoo that affected three billion consumer accounts and bigger than a 2017 episode involving the credit score bureau Equifax.
The intrusion was a reminder that after years of headline-grabbing assaults, the pc networks of huge firms are nonetheless weak.
The Starwood assault occurred roughly the identical time as a quantity of different breaches at American well being insurers and authorities companies, together with the United States Office of Personnel Management, in what safety analysis companies and authorities officers described as an effort to compile an unlimited database of private data on potential espionage targets.
Experts don’t know if the Starwood assault was related to these different episodes. But Starwood’s information has not popped up on the so-called darkish net, in accordance to Recorded Future, a cybersecurity agency, and Coalition, a cyber insurance coverage supplier, which instructed that the lodge attackers weren’t wanting to promote what they took.
“Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes,” mentioned James A. Lewis, a cybersecurity knowledgeable on the Center for Strategic Studies in Washington.
The breach hit prospects who made reservations for the Marriott-owned Starwood lodge manufacturers from 2014 to September 2018. The properties embody Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Elements and the Luxury Collection.
Marriott inns, together with Residence Inn and the Ritz-Carlton, function on a separate reservation system. The firm has plans to merge that system with Starwood’s.
The names, addresses, telephone numbers, start dates, e-mail addresses and encrypted bank card particulars of lodge prospects had been stolen. The journey histories and passport numbers of a smaller group of company had been additionally taken.
Marriott mentioned it had arrange a dedicated website and call center to deal with guests and said it would try to reach affected customers on Friday to inform them of the breach. The site was having problems staying online shortly after the attack was announced.
The company is offering one year of free enrollment in a service called Web Watcher to people who live in the United States, Canada and Britain. Marriott described it as a service that keeps an eye on websites where thieves swap and sell personal information and then alerts people if anyone is selling their information.
“We deeply regret this incident,” Arne Sorenson, Marriott’s president and chief executive, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves.”
The intrusion went unnoticed for four years by Starwood, which was acquired by Marriott in 2016 for $13.6 billion. It was uncovered in early September, when a security tool alerted Marriott officials to an unauthorized attempt to access Starwood’s guest reservation database. The alert prompted Marriott to work with outside security experts, who discovered that the hackers had grabbed a foothold in Starwood’s systems starting in 2014.
On Nov. 19, digital forensics experts uncovered the full scope of the attack. It was the second major security breach Starwood has reported. Its cash register systems were penetrated in 2015.
The Federal Bureau of Investigation said in a statement that it was aware of the breach and was tracking the situation. It added that any suspected instances of identity theft should be reported to the F.B.I.’s Internet Crime Complaint Center at www.ic3.gov.
In recent years, cybersecurity experts said, the hospitality industry has become a rich target for nation-state hackers looking to track the travel movements and preferences of heads of states, diplomats, chief executives and other people of interest to espionage agencies.
Going after hotel customer lists has been part of a broader effort to obtain giant databases of information. So big, in fact, that they would be of little use to run-of-the-mill hackers. But to a government, they would be very useful.
That information could be fed, for example, into an analysis program run by a country’s state security apparatus, Mr. Lewis said. Using “big data” technology similar to what marketers use in targeted advertising, the country could try to pinpoint the comings and going of intelligence agents from other nations. Did they stay, for example, in the same hotel as a potential source for that country?
The breach could get expensive for Marriott. Verizon cut what it paid to acquire Yahoo by $350 million after the internet company reported its breach in 2016. And Equifax reported recovery costs of $400 million from its 2017 incident, which affected 148 million people.
Despite months of due diligence, finding out there was a major network attack long after a deal closes is “everybody’s worst-case scenario,” said Jake Olcott, vice president at BitSight, a computer security ratings company in Boston.
Several lawsuits were filed against Marriott on Friday, and investigations were announced by New York’s attorney general, Barbara D. Underwood, and European regulators.
In Europe, where companies can be fined up to 4 percent of global revenue under data protection laws, companies must alert government authorities within 72 hours of a known breach.
Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott “has the potential to trigger the first hefty G.D.P.R. fine,” said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data protection law enacted this year.
Marriott told shareholders that it did not expect the breach would affect the company’s long-term financial prospects. The company’s share price was down more than 5 percent on Friday.
Marriott has also been dealing with strikes by thousands of workers in nine cities, as well as customer complaints about problems with rewards programs after efforts to merge data from Starwood’s rewards program into Marriott’s left the records of millions of customers in limbo.
Lawmakers said the episode was yet another example of why the United States needs data privacy laws that punish companies for failing to keep customers’ information private.
“It is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses,” Senator Mark R. Warner, a Democrat from Virginia, said in a statement.
Privacy advocates said there was no excuse for a breach to go unnoticed for four years.
“They can say all they want that they take security seriously, but they don’t if you can be hacked over a four-year period without noticing,” said Gus Hosein, executive director of Privacy International, a group that supports strong data protection laws.