Marriott Mega Data Breach.

Hello from Brazil and the Palacio Tangara, which is a pretty amazing hotel.  A full write up will be coming shortly.  Also a write up of the Concorde Room at Heathrow and an absolutely old-school, totally first class British Airways crew on my trip out here.

But for the moment, I felt it was worth writing about the mega data breach that Marriott just announced to the media a couple of days ago.

Less than a week earlier, I wrote this article about a seemingly more minor matter of data privacy and security at Marriott.  Little did I know how prescient it was.

So what has actually happened?  It is being described as a “Starwood Guest Reservation Database Security Incident” as it started off in what was the former Starwood reservation system.

  • The breach was identified on 19th November
  • Up to 500 millions guest details were compromised
  • The unauthorised access started as far back as 2014

Marriott explained that:

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States.  Marriott quickly engaged leading security experts to help determine what occurred.  Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.  The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.  On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”

For 327 million guests, compromised data includes a combination of:

  • Name
  • Mailing address
  • Phone number
  • Email address
  • Passport number
  • Starwood Preferred Guest (“SPG”) account information
  • Date of birth
  • Gender
  • Arrival and departure information
  • Reservation date
  • Communication preferences

In addition:

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

So that’s pretty much everything then.


This won’t be the last data breach from the travel industry.  We’ve seen British Airways, Cathay Pacific and now Marriott clearly not invest enough, and take this seriously.  My own experience on this very blog shows that this is still the case, after this incident was known about internally.

What we need is for regulators like the UK Information Commissioner to start taking consequential enforcement action against companies, as they are now allowed to under GDPR legislation.  Only when companies start seeing an actual revenue hit to their numbers will they start to take this seriously.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.