Marriott says personal data on 500m customers at risk in massive breach

Westin hotel in Dublin was originally part of the Starwood chain where the breach took place

The Westin, part of the Starwood chain, which is owned by Marriott

The Westin, part of the Starwood chain, which is owned by Marriott

 

The world’s biggest hotel company, Marriott International, said on Friday the personal details of up to 500 million guests were at risk as a result of a massive data breach that had been going on since 2014.

While several Irish hotels fall under the Marriott umbrella, including the Shelbourne hotel in Dublin, the Powerscourt Hotel in Co Wicklow and the Sheraton Athlone Hotel in Co Westmeath, only the Westin hotel in Dublin was originally part of the Starwood chain where the breach took place.

A spokeswoman for the Westin said the hotel was not in a position to comment at this stage.

In a statement, Marriott said its Starwood Hotels & Resorts guest reservation database had been the victim of a “security incident” and had been unlawfully accessed. The database contained the reservation details of up to 500 million guests, of which around 327 million records listed details including some combination of the person’s name, phone number and passport number among other things.

“For some the information also includes payment card numbers and payment card expiration dates,” said Marriott in a statement.

The hotel chain said it had not been able to rule out the possibility that information needed to decrypt payment card numbers were taken.

Security tool

Marriott said it had only become aware of the breach in September this year when it was alerted by an internal security tool regarding an attempt to access the Starwood database in the US.

However, during the course of its internal investigation the hotel chain said it had learned “that there had been unauthorised access to the Starwood network since 2014”. Marriott bought the Starwood chain in 2016 for $13.6 billion (€12bn).

Marriott said it had determined the extent of the problem on November 19th, following which it had notified law enforcement. The company said it was working with its insurance providers and expected to disclose costs related to the incident in due course. However, it said it did not anticipate the breach to “impact its long-term financial health”. - Additional reporting by The Financial Times