NEW YORK — The data stolen from the Marriott hotel empire in a massive breach is so rich and specific it could be used for espionage, identity theft, reputational attacks and even home burglaries, security experts say.
Hackers stole data on as many as 500 million guests of former Starwood chain properties over four years including credit card and passport numbers, birthdates, phone numbers, and hotel arrival and departure dates.
It is one of the biggest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
But the target here – hotels where high-stakes business deals, romantic trysts and espionage are daily currency – makes the data gathered especially sensitive.
Jesse Varsalone, a University of Maryland cybersecurity expert, said the affected reservation system could be extremely enticing to nation-state spies interested in the travels of military and senior government officials.
“There are just so many things you can extrapolate from people staying at hotels,” Varsalone said.
And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn’t be home, said Scott Grissom of LegalShield, a provider of legal services.
The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.
Email notifications for those who may have been affected begin rolling out Friday and the full scope of the breach was not immediately clear.
Marriott was trying to determine if the purloined records included duplicates, such as a single person staying multiple times.
Security analysts were especially alarmed to learn of the breach’s undetected longevity. Marriott said it first detected until Sept. 8 but was unable to determine until last week what data had possibly been exposed – because the thieves used encryption to remove it in order to avoid detection.
Marriott said it did not yet know how many credit card numbers might have been stolen. A spokeswoman said Saturday that it was not yet able to respond to questions such as whether the intrusion and data theft was committed by a single or multiple groups.
Send questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.