By Carlo Versano and Chloe Aiello
Marriott's reservation system for its Starwood hotel properties has been breached since 2014, exposing the sensitive personal data of up to 500 million guests over more than four years, the world's largest hotel chain revealed Friday. New York Attorney General Barbara Underwood immediately announced an investigation into the attack.
The hacked personal data included passport numbers, credit card information, dates of birth, and phone numbers. The breach amounts to the largest corporate data hack since 2013, when Yahoo!'s entire user base of three billion people was exposed. But a hotel database would likely hold more sensitive information, meaning a hack of this scale from the world's leading hotel chain could be the most significant yet.
Rikesh Thapa, the CTO and co-founder of blockchain technology company Blockparty, said he assumes bad actors wasted no time in securing the information, so people who suspect their data was compromised need to be vigilant.
"I would bet that it was on the black market already," Thapa told Cheddar on Friday.
The breach of Equifax's database last year exposed social security numbers and credit cards of about 200,000 people in the U.S., a fraction of the number of customers who may be impacted after Marriott's disclosure.
Marriott acquired Starwood in 2015 for $13 billion, folding brands like Westin, Sheraton, W, and St. Regis into the Marriott portfolio. The company said any reservation between 2014 and Sept. 10, 2018 at any Starwood properties worldwide was affected.
Marriott President Arne Sorneson apologized in a statement, saying: "We are doing everything we can to support our guests, and using lessons learned to be better moving forward.” The company set up a website to provide more information about the breach. It also said it was working with law enforcement to identify the hackers. Marriott did not say why it took four years to identify that its systems had been penetrated.
The delay suggests the company was technologically far behind, Thapa said.
The hack "should never have happened if Marriott or companies like Marriott paid attention to technological advancements and made sure that their machines were up to date," Thapa said.
"This hack supposedly happened in 2014 ... which means they had not upgraded their system for probably more than four years, so this person was siphoning data, or group was siphoning data, since then."
As for what's next for Marriott, Thapa said he expects "they are going to get fined like crazy" for violating Europe's General Data Protection Regulation.
"Whether or not they survive it, they're definitely going to be calling up a lot of security professionals trying to upgrade their security system ー I would hope so," he said.
Ted Rossman, an analyst for CreditCards.com, took a rosier view than many analysts Friday. "I don't know if there's anything truly new here," he said, predicting more corporate hacks will follow. "We as consumers need to assume that our data is out there."
He pointed out a new law that makes it free for consumers to freeze, and then "thaw," their credit ー a process that used to cost $30 in some states and involve rounds of phone calls. Now it can be done via the websites of the three main credit agencies. Credit freezing is the "best line of defense we have," according to Rossman.
Shares of Marriott plummeted 5 percent on news of the hack.