Marriott International Inc. announced Friday that a data breach lasting four years has compromised the personal information of up to 500 million of its hotel guests worldwide. The breach, one of the largest ever, raises questions about whether companies have enough incentive to protect people’s private information.
The compromised data include passport numbers, dates of birth and potentially credit card information, in addition to contact information such as mailing addresses and email addresses.
Consequences in the United States are uncertain, but new laws in Europe could stick the global hotelier with hundreds of millions of dollars in fines.
The security breach affected the reservation system of Starwood, a hotel company Marriott acquired in 2016, and affected guest information for reservations made from an unspecified date in 2014 through Sept. 10 of this year. Starwood properties include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, the Luxury Collection, Le Méridien, Four Points, and Starwood-branded timeshares.
The Bethesda, Md., company said that the amount of data exposed varied from guest to guest. For about 327 million, stolen data may have included contact information, passport number, date of birth, gender information, arrival and departure information, reservation date and Starwood Preferred Guest account information. Others had more limited exposure.
An unspecified number of payment card numbers and expiration dates were also exposed. Marriott said that the card information was encrypted but that the attacker may have obtained the keys to decrypt it.
"We fell short of what our guests deserve and what we expect of ourselves," Chief Executive Arne Sorenson said in a statement. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
Marriott’s stock slid 5.6% on Friday to $115.03 a share.
Marriott said that it was sending email notifications to those who may have been affected and that residents of the United States, Canada and the United Kingdom would be eligible for a free year of enrollment in WebWatcher, an identity fraud alert system.
The U.S. State Department did not appear concerned about the exposure of passport numbers. It said that it “would like to assure U.S. citizens that the U.S. passport book and passport card are highly secure documents,” and that no one can travel or access State Department records with just a passport number.
Marriott said it was first alerted to a potential breach Sept. 8 and found that a cache of information had been copied, encrypted and possibly removed by an unknown hacker. On Nov. 19, the company managed to decrypt the files and discovered the magnitude and nature of the breach.
In a regulatory filing, the company said that it could not yet estimate the financial impact of the breach but noted that it does carry cyber insurance.
A July 2018 study commissioned by IBM and carried out by the Ponemon Institute, a data security think tank, found that the average cost of a data breach for affected companies amounted to $148 per stolen record.
But most of the breaches included in the study were far smaller than the Marriott hack. Ponemon Institute Chairman Larry Ponemon said that for “mega breaches,” in which more than 1 million records are affected, economies of scale kick in.
“Once you have more than 50 million records, it goes down to around $7 a record,” Ponemon said Friday. “These mega breaches are rare, but they’re starting to become less rare, and that’s scary.”
Calculating the cost to people whose data has been compromised is more difficult, Ponemon added. “The average person right now, unbeknownst to most of them, has their names in at least four data breaches,” which makes connecting one breach to a particular incidence of identity fraud almost impossible.
But experts say many companies continue to have a startlingly lax approach to data security.
“I’ve been saying for years, if you want to fix this, you need to regulate these companies,” cybersecurity expert Bruce Schneier said. “We need actual fines. The market rewards lousy security.”
“We find that organizations that spend the money on security up front can probably count on cost savings,” Ponemon said. “But some organizations see data breaches as cost of doing business — if they have a data breach, they’ll be able to pay the fee and hire the law firm and deal with regulators.”
The companies affected by the most notorious recent data breaches have suffered some consequences, both from market forces and from regulators.
In 2017, Yahoo confirmed that every single one of its 3 billion user accounts had been compromised, leaving hackers with names, emails, phone numbers, birth dates and hashed passwords (which are difficult to decrypt).
After the breach was announced, Verizon Communications knocked $350 million off its $4.83-billion offer to buy Yahoo’s core internet business.
This April, the U.S. Securities and Exchange Commission reached a $35-million settlement with Altaba — the investment company created out of the Yahoo holdings Verizon did not buy — for failing to disclose the breach for almost two years. And in October, Altaba and Verizon settled two class-action suits, one brought by affected users and the other by investors, for a total of $165 million.
The 2017 Equifax debacle still reigns supreme as the most potentially damaging for consumers. Hackers got into the credit reporting firm’s database and stole the Social Security numbers, dates of birth, home addresses and, in some cases, driver's license and credit card numbers of 147 million people — nearly half the U.S. population.
Equifax’s stock price crashed after the company disclosed the breach, but one year later, the shares had regained nearly all of their value. The stock has since taken a hit, but only in response to a disappointing third-quarter earnings report. In filings, the company said that the breach has cost a total of $384 million in improved security technology and crisis management, $125 million of which was covered by insurance. The company expects to have $3.4 billion in revenue this year.
To date, Equifax has faced fines only in the UK, where it was hit with the minimum fine of about $640,000 for compromising the information of 15 million Britons. Under the more stringent General Data Protection Regulation laws which have since taken effect across Europe, the company could have been fined up to 4% of its annual revenue, which would be well above $100 million.
“Marriott will weather the bad press and nothing will happen,” Schneier said. “Equifax was bigger than this. Almost every American had their information stolen. There were angry congresspeople on both sides of the aisle. A year later, nothing happened. You must raise the cost of insecurity otherwise it will keep happening.”
The Marriott breach might prove a fertile testing ground for Europe’s new GDPR rules, which stipulate that companies must report a breach involving information about European Union citizens within 72 hours.
Graham X Doyle, a spokesperson for the Irish agency responsible for GDPR enforcement, said the agency had not received any official notification from Marriott and was reaching out to the company to see if Irish customers had been affected. Marriott said that it reported the incident to law enforcement agencies, but did not say which or when.
In early November, Sen. Ron Wyden (D-Ore.) proposed a bill that would make data breaches much more painful for companies in the United States. It would mirror the GDPR fine of 4% on revenue and allow for executives who knowingly mislead federal authorities about their companies’ data security to be punished with $5-million fines and up to 20 years in prison.
Following Marriott’s announcement of the data breach Friday, the attorneys general of New York and Texas each opened an investigation. Sen. Mark Warner (D-Va.), co-founder of the Senate cybersecurity caucus, said the United States needs laws that will limit data collection. And within hours of the announcement, a law firm asked a court in Maryland to grant class-action status to a suit accusing Marriott of negligence, breach of confidence and deceptive and unfair trade practices.
Times staff writer David Pierson contributed to this report.