A booking database run by the biggest hotel chain in the world has been targeted by hackers in a cyber attack that could affect half a billion customers.
Marriott International announced today that 500million guests’ data may have been exposed in breaches of the system for its Starwood portfolio that began in 2014.
The ‘data security incident’ has affected hotels including Trump Turnberry in Ayrshire as well as London’s Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly.
The database stored information including passport numbers, dates of births, names, addresses and phone numbers for 327 million guests.
The ‘data security incident’ hit the system for its Starwood portfolio, which includes Trump Turnberry in Ayrshire
The company said reservations at its Starwood properties – which include the Park Lane Sheraton Grand (pictured) had been affected by the data breach
Payment card numbers and expiration dates were also stored for some.
What is Marriott’s Starwood division? How brands include Sheraton, Le Méridien and W Hotels
Starwood was founded in 1969 and was based in Connecticut in the US.
It was bought in 2016 by Marriott International for a deal estimated to be worth $13.6billion (£10.6million)
The purchase created the largest hotel chain in the word with more than 5,800 properties.
Starwood’s hotel brands are W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Marriott branded hotels use a separate reservation system on a different network, so it was not affected by the hack.
The breach was spotted in the Starwood guest reservation database in the US on September 8.
The company ‘discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it’, a statement said.
Security experts determined there ‘had been unauthorised access to the Starwood network since 2014’, it added.
Researchers decrypted the information and determined its contents were from the Starwood reservation database on November 19, the company said.
Marriott president and chief executive Arne Sorenson said: ‘We deeply regret this incident happened.
‘We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.’
The Maryland-based firm said law enforcement agencies are investigating.
Payment card numbers are encrypted using a method that requires two components to break it, a statement said.
Le Meridian Piccadilly in central London which has also been affected by the hack.
The firm said the guest reservation database of its Starwood hotel brand had been compromised by an unauthorised party (file pic)
What to do if you are affected by the data breach
The Marriott group says it will be contacting affected customers whose emails were in the Starwood database.
It contained details of reservations made on or before September 10 2018.
A dedicated website has been set up for those affected, and the firm is also operating a free helpline.
For UK customers the number is 0808 189 1065.
It is advised that anyone affected should be aware of any suspicious transactions on your bank account.
‘Marriott has not been able to rule out the possibility that both were taken,’ it added.
The National Crime Agency said it is making enquiries.
Starwood was bought by Marriott in 2016.
The Information Commissioner’s Office (ICO) has began making inquiries over the breach and has the power to impose large fines.
‘We have received a data breach report from Marriott Hotels involving its Starwood hotels and will be making inquiries,’ a spokesman said.
‘If anyone has concerns about how their data has been handled they can report these concerns to us.’
Facebook was fined £500,000 over the Cambridge Analytica scandal which saw an estimated 87 million users’ data breached, but the tech giant has mounted an appeal.