The global giant of the Marriott hotel announced on Friday the piracy of a database that could contain the information of about 500 million customers, noting that an internal investigation has revealed "unauthorized access" since 2014.
The US group, based in Bethesda, Maryland, said in a statement that it had received an internal report on September 8, 2018 regarding an attempt to access a large US reservations database. His investigations revealed that an "unauthorized third party" had "copied and encrypted the information and started operations to remove it".
"We deeply regret this incident: from the beginning, we moved quickly to limit this incident and conduct an in-depth investigation with the assistance of leading security experts," said Arne Sorenson, the head of Marriott, mentioned in the statement. "We are doing everything we can to support our customers."
"We are allocating all the resources needed to eliminate Starwood systems and accelerate the continued strengthening of our network security," he said.
At the opening of Wall Street on Friday, the giant's stock fell 4.78% to $ 116.02.
The police have opened an investigation with which Marriott collaborates, and the regulatory authorities have been warned.
New York attorney Barbara Underwood said on Twitter that her services were examining this intrusion. "New Yorkers deserve to know that their personal data will be protected," he said.
The Marriott group, which merged in 2016 with American Starwood, becoming the largest hotel group in the world, says it has not completed the identification of the information that has been duplicated. They can cover bookings made up to and including 10 September 2018.
– Starwood Network –
He noted that for approximately 327 million of the approximately 500 million customers in the database, information includes names, postal and email addresses, telephone and passport numbers, date of birth, gender, or account details. Starwood Preferred Guest (SPG), a high-end card recently launched by the American Express card issuer for frequent travelers.
For some of these people, even the credit card number and expiration date are affected, but Marriott is not able at this stage to indicate if the intruder has managed to override the GSP encryption.
For millions of other customers, information at risk includes only the name and sometimes other details such as e-mails and e-mail addresses.
This would be the biggest known private data piracy after Yahoo 2013, when all of its three billion user accounts had been hit.
"A serious data breach for four years," noted Cowen analysts, saying that the fact that only the Starwood system is affected and that the group acted "fast enough" should allow "harm limitation".
For those of Goldman Sachs, "even if the entity (piracy) is big, it's too early to assess the potential financial impact" for Marriott, analysts say, has an IT security assurance.
The hotel group has set up a dedicated website (info.starwoodhotels.com) and a call center to inform customers. He plans to send emails to interested parties since Friday, he added.
The site states that only bookings made through the Starwood network were affected because the "Marriott uses a separate booking system located on a different network".
The Starwood hotel portfolio includes W Hotels, Sheraton Hotels and Resorts, Westin Hotels and Resorts, Le Méridien Hotels and Resorts, Four Points by Sheraton and Design Hotels. Timeshare properties of Starwood have also been exhibited. At the time of the merger, Starwood was worth $ 13.6 billion.
Marriott has indicated the offer of a one-year free subscription to WebWatcher, a service that monitors the Internet to see if a customer's personal information is being used.
The group has a total of 6,700 properties including duty free in thirty hotel chains spread across 129 countries. At the end of 2017, it managed 1.25 million rooms and had a turnover of over $ 22 billion that year.