The world’s largest hotel chain just revealed what might be the second-largest data breach in history.
On Friday, Marriott revealed hackers broke into the reservation system of its Starwood hotel brands, which include Sheraton, Starwood’s Westin, Four Points by Sheraton, Aloft, St. Regis, W Hotels and Le Méridien. The hacked database contained information for up to 500 million customers.
The company announced in a statement that it discovered the hack on Sept. 8, just weeks after officially ( and controversially ) merging the Marriott Rewards and Starwood Preferred Guest (SPG) loyalty programs. It managed to decrypt the information and determine the scope of the breach on Nov. 19. The Marriott network of properties are reportedly not affected.
Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an "unauthorised party had copied and encrypted information".
… For about 327 million guests, the information included "some combination" of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information.
Though Marriott hasn’t revealed a number, it said “some” guests had their payment information leaked—and admitted that although Marriott did encrypt the information, the two components required to decrypt credit card details might have also been stolen.
[FREE GUIDE: 3 things you (probably) didn't know about crisis communications]
On Friday, Marriott tweeted a link to its statement and links for potentially affected customers:
Marriott values our guests and understands the importance of protecting personal information. For more information on the Starwood guest reservation database security incident, please visit https://t.co/NWd6Dg2oOQ.
— Marriott Internat'l (@MarriottIntl) November 30, 2018
In its statement, Marriott wrote:
Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.
… Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.
The hotel chain is currently sending emails to affected guests and opened a call center to answer questions and concerns. It’s also providing customers with one year of complimentary access to WebWatcher, so consumers can monitor their data for signs of identity theft.
Marriott’s PR team is already scrambling as backlash grows online and more customers contact the chain’s call center.
Quartz reported:
SPG-ers—the obsessive and niche brand of loyalty-chasing travelers who were folded into the new Marriott rewards program that will reportedly be known as “ Bonvoy “—were already none too pleased about the merger. Though anyone who booked at a Starwood property could be affected, it’s reasonable to assume that SPG-ers—who tend to stay exclusively at these properties to amass points—are highly likely to have been affected. Judging by how they responded to relatively mundane inconveniences related to the merger in the last few months, Marriott can expect some serious customer rage.
"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward," said CEO Arne Sorenson in a statement.
Many consumers are lashing out because the unauthorized access into the Starwood network dates back to 2014—meaning that Marriott acquired the properties in 2016 as they were being hacked, yet did not notice or report the security breach for roughly two more years.
Quartz reported:
Marriott’s shares fell by more than 5% in premarket trading in New York. The hack is set to be the second-largest in history, in terms of people affected; Yahoo’s 2013 breach exposed the data of 3 billion people.
Database breaches are far too common, but it’s unusual to hear a large company not detect unauthorized access to its network and key customer database for a period of four years. Marriott’s carefully worded statement doesn’t identify who obtained access and how. That’s particularly troubling, as if this wasn’t a hack or full security breach then it could have been sloppy security that let anyone access this information and clone the database. That’s backed up by the fact Marriott reveals it discovered the database breach through a copied and encrypted version. Whether this copy is public, or for sale on the dark web, remains vague. There are signs Marriott could have been breached in the past.
How would you advise Marriott to rebuild consumer trust, PR Daily readers?
(image via)
from PR Daily News Feed https://ift.tt/2RqWf68
No comments:
Post a Comment