Listen Now

Marriott Acknowledges Data Breach At Starwood Hotels

Nov 30, 2018
Originally published on November 30, 2018 9:36 am
Copyright 2018 NPR. To see more, visit https://www.npr.org.

RACHEL MARTIN, HOST:

Now we're following news this morning of a massive data breach. One of the largest hotel chains in the world, Marriott, has said it has been the target of a massive breach. Up to 500 million guests who made reservations at Marriott Starwood properties around the world may have had their information compromised. NPR's senior business editor Uri Berliner is following us and joins us now. Uri, give us exactly a sense of the scope of this.

URI BERLINER, BYLINE: Yeah. It's enormous. This may wind up being one of the largest hacks ever that we know of. As you said, approximately 500 million guests who made reservations with Starwood properties had their information breached. About 327 million of those customers had some combination of this information stolen - their mailing address, phone number, email address, passport number, their gender, date of birth. Very sensitive, important, significant information.

Also, additionally, the hackers or hacker obtained credit card information for some of those customers. Marriott says that information was encrypted, but - and this is a big but - there are two components needed to decrypt that credit card information, and the hackers may have stolen that, too.

MARTIN: And I suppose we don't know at this point what the vulnerability was, where exactly they hacked?

BERLINER: No. We don't. What we know is that Marriott says on September 8 of this year, it received an alert from an internal security tool about an attempt to access the Starwood's guest reservation database. And then not until a little more than two months later, on November 19, Marriott decrypted the information, determined that the contents were from Starwood's guest reservation database. And Starwood includes, you know, a number of hotel properties - W Hotels, Sheraton, Westin, St. Regis, Meridien and several others.

MARTIN: So lots and lots of people have been staying at those hotels. What are those guests supposed to do?

BERLINER: Well, I mean, Marriott says it is setting up a website and call center to answer questions. It's going to begin sending emails to those affected guests. You know, they can put a freeze on their credit inquiries. There are a number of things they can do. But, you know, this, again, is a very significant breach of trust by an important company.

MARTIN: Right. Overall, what kind of impact is this going to have on the hotel industry? I mean, I imagine other chains are looking at their security right at this very moment to make sure it doesn't happen to them.

BERLINER: I'm sure they will. You know, a hotel is very personal experience. You go in there, and the first thing the hotel does is, we need information. We need your credit card information, your driver's license. You give them that information with the assumption that it's going to be protected. They don't let you in the room until you give them that information. And in this case, that information was not protected. So I think this is going to be a very difficult thing for this company and the hotel industry in general.

MARTIN: NPR senior business editor Uri Berliner. We've been talking about this massive data breach we've gotten word of this morning. Marriott Starwood properties announced that 500 million of their guests may have had their personal information compromised. Uri, thanks so much for talking with us and walking us through this story. We appreciate it.

BERLINER: Sure thing. You're welcome. Transcript provided by NPR, Copyright NPR.