On the morning of Nov. 30, Marriott announced that the data of approximately 500 million customers had been compromised by a breach of the Starwood Hotels database. Starwood became a subsidiary of Marriott when it was acquired by the hotel chain in 2016, and according to the statement on Marriott’s news site the breach has been an ongoing occurrence since 2014 but wasn’t detected until Sept. 8, 2018.
The breach impacts guests who booked stays at Starwood properties on or before Sept. 10., and could be the second largest in history—the honor of the first goes to Yahoo, which announced a hack that compromised 3 billion costumers’ data in 2016.
“For approximately 327 million of these guests,” the statement reads, “the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” Marriott also says that for some customers credit card information may have also been taken, but can’t say for sure because of the encryption type.
The company made clear that it had contacted the appropriate legal and regulatory authorities and was fully cooperating with any investigations. Email notifications will be sent to affected guests.
“We deeply regret that this happened,” said Arne Sorenson, Marriott’s president and CEO. “We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center…we are [also] devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Marriott’s statement fulfills some communications tenets of transparency with its audience, explaining the steps the company is taking to rectify the situation and having the head of the company apologize for the issue. It gives the details of what the company knows so far, and leaves space for more information to come out in the future. But it does leave a few things to be desired.
Jake Williams, president and founder of Rendition Infosec, a cybersecurity firm, told NBC News, “I’m playing guesswork at what some of these statements mean,” noting that it was unclear whether Marriott was aware of the four-year-long security breach before it bought the Starwood company two years ago.
It also seems that the company knew about the breach since September, but waited two months to announce it to the public. Though it picks up some points for disclosing that information in its statement, it begs the question of why it didn’t alert the public sooner.
Marriott finds itself at a crossroads. It can take the path of Equifax, which has learned from its own 2017 breach by prioritizing educating customers about how to protect their data. Or it can be like Facebook, which is still dealing with the fallout of the Cambridge Analytica scandal now that it appears it was known about well before it was announced.
Based on this statement, it appears Marriott is more likely to go in the former direction, but that will become clear as more information emerges.