Marriott Hit by Starwood Hack That Ranks Among Biggest Ever

(Bloomberg) -- Marriott International Inc. said it’s investigating a hack of the guest reservation database at its Starwood unit that may be one of the biggest such breaches in corporate history. Marriott shares slumped as much as 6.9 percent.

The attack is troubling not just because of its sheer size, but also the level of detail potentially stolen by the attackers. The hack affects some 500 million guests, and for about 327 million of them, the data included passport numbers, emails and mailing addresses, Marriott said. Some credit card details may also have been taken.

The Marriott hack may rank only below Yahoo as one of the biggest of personal data, when 3 billion users were exposed to a 2013 security breach.

“We know there’s going to be a cost, but how big will it be, I don’t know, I don’t think Marriott knows,” said Michael Bellisario, an analyst at Robert W. Baird & Co. “Marriott’s biggest asset is the network effect of customers in the loyalty program. The big question is does it impact the Marriott brand, and the customer desire to be rewards program members? It’s still too early to tell.”

Regulators and consumers have been stepping up their action against companies that have suffered security breaches as such attacks have increasingly become more severe. Target Corp. last year agreed to pay $18.5 million to settle investigations by dozens of states over a 2013 hack of its database in which the personal information of millions of customers was stolen, while Equifax is facing billion-dollar law suits and a regulatory investigation.

“The breach is so big that the company may face a large fine from the authorities and the market is factoring that in,” said Juan Jose Fernandez Figares, chief analyst at Link Securities in Madrid. “This is yet another company that has been hit by a hacking and a reminder to any company that manages customers’ personal data that they need to work harder to protect them from future attacks.”

Marriott’s statement indicates the hacking was going on years before the company acquired Starwood in a deal valued at about $13.6 billion that closed in September 2016. Marriott’s database contained guest information relating to reservations at Starwood properties on or before Sept. 10, 2018. For some, it also included payment card details, said Marriott, which didn’t identify who the perpetrators might be.

Athough Marriott said the details such as credit card numbers were encrypted, it has not been able to rule out the possibility that enough details were taken in order to decrypt this information.

The company has reported the incident to law enforcement and continues to support their investigation, and has also begun notifying regulatory authorities. Marriott informed the U.K. data protection regulator about the breach, the Information Commissioner’s Office said Friday. The regulator asked individuals concerned about how their data was handled to report their worries.

In its quarterly filing dated Nov. 6, Marriott added a warning about security breaches.

“We have experienced cyber-attacks, attempts to disrupt access to our systems and data, and attempts to affect the integrity of our data, and the frequency and sophistication of such efforts could continue to increase,” the firm said, without providing details on specific attacks.

Marriott paid $13.6 billion to acquire Starwood in September 2016 in a deal that created a hospitality industry behemoth that has 1.3 million rooms and more than 110 million loyalty program members. Starwood’s legacy brands include Sheraton, W Hotels, Westin, Aloft and St. Regis.

--With assistance from Sharon Smyth, Giles Turner and Lily Katz.

To contact the reporters on this story: Sree Vidya Bhaktavatsalam in London at sbhaktavatsa@bloomberg.net;Patrick Clark in New York at pclark55@bloomberg.net

To contact the editors responsible for this story: Debarati Roy at droy5@bloomberg.net, ;Sree Vidya Bhaktavatsalam at sbhaktavatsa@bloomberg.net, Christine Maurus

©2018 Bloomberg L.P.