Marriott’s Starwood Data Breach Could Affect 500 Million
On Friday, Marriott International Inc. disclosed a data breach in its Starwood reservation database that could expose the personal information of up to 500 million guests. Marriott was alerted to a potential breach on Sept. 8, and after investigating, the company found that the hack into the system has allowed unauthorized access since 2014. Marriott found that the hacker had copied and encrypted the information, but wasn’t able to identify the exact information accessed until Nov. 19.
For around two-thirds, or 327 million, of the potentially affected guests, the hacker may have gained access to information such as names, contact details, passport and travel details, and loyalty program accounts. Marriott said that credit card numbers are usually encrypted; however, it couldn’t promise that card information wasn’t stolen as well. The breached database contained information for guests who made reservations on or before Sept. 10 at global Starwood hotels.
The breach was one of the most massive known hacks of personal data in history, second only to the Yahoo data breach that affected three billion user accounts in 2013. As investors and regulators learned about the Marriott hack, its shares declined by 5.6 percent, the company’s most significant decline since June 2016. Marriott could end up paying fines totaling $200 million.
Its most significant risk, however, is the harm that the hack could cause to its relationship with its customers. “Marriott’s biggest asset is the network effect of customers in the loyalty program,” said Robert W. Baird & Co. analyst Michael Bellisario. Hotel companies rely on loyalty programs to gain repeat customers, and according to Bellisario, “[the] big question is: ‘Does it impact the Marriott brand, and the customer desire to be rewards program members?’”
Marriott is taking steps to support the customers who have been impacted by the breach. The hotel chain said that it will begin emailing affected guests and has set up an informational website and a call center. It is also providing guests in the United States, Canada and Britain with a free one-year membership to WebWatcher, a service that monitors websites on which personal information is shared. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” said Marriott CEO Arne Sorenson.