Marriott Hotel Chain Subject to Data Breach Affecting Up To Half a Billion People

On November 30, 2018, Marriott International Inc (Marriott) disclosed that approximately 500 million guests who stayed at Starwood hotel properties (which Marriott acquired in 2015) between 2014 and 2018 may have had their personal information compromised.  Starwood hotel properties include prominent brands such as W hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and Starwood-branded timeshare properties, amongst others.

The Marriott breach is believed to be the second-largest data breach of personal information in history, with only Yahoo!'s 3 billion account data breach surpassing it in terms of number of individuals affected.  However, the nature of the information potentially compromised in this case may lead to greater damage.

Marriott has stated that only customers of Starwood properties were affected, as Marriott-branded hotels use a different software system that was not breached.  Internal security systems of the hotel chain were alerted to a potential security breach on September 8, 2018, but they were unable to decrypt the information to uncover what exposure the company faced.

Credit card numbers and expiration dates may have been taken, although  Marriott has said that this data was encrypted and therefore perhaps not fully exposed.  Other sensitive personal information that may have been compromised includes guest names, mailing addresses, email addresses, phone numbers, passport numbers, and dates of birth.

Marriott informed the Canadian Office of the Privacy Commissioner of the breach shortly after uncovering the extent of the breach, and has sent out an email to potentially affected individuals and set up a web site and call centre for anyone seeking more information.

Summary By: Hashim Ghazi