International hotel chain’s shares plummet over revelations of reservation database hacking
As many as 500 million guests at Marriott International hotels may have been victims of a hack that in many cases pilfered passport numbers, birthdates or other identifying data dating back to 2014, the company announced on Friday.
The hack is among the largest ever disclosed, prompting a big drop in Marriott shares and investigations in at least three U.S. states including, New York, where Attorney General Barbara Underwood said on Twitter that “New Yorkers deserve to know that their personal information will be protected.”
Marriott said it was alerted on Sept. 8 that there had been an attempt to hack their reservation database in the United States. A subsequent probe concluded on Nov. 19 “that there had been unauthorized access to the Starwood network since 2014” which compromised personal and financial information.
Hotel brands in the Starwood network include Sheraton, Westin, Four Points and W Hotels. Marriott completed a $13.6 billion acquisition of Starwood in 2016.
“We deeply regret this incident happened,” Marriott chief Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves.”
The investigation determined that for about 327 million guests, the hacked information included items such as names, addresses, passport numbers and dates of birth. Marriott also could not rule out that hackers were also able to access some encrypted credit card information.
For the other guests, the information was limited to names and sometimes other data such as mailing and email addresses or other information, the company said.
After reaching the deal with Marriott in November 2015, Starwood disclosed that it suffered a hack on some hotels in North America, later determining that malware affected restaurants and gift shops but that there was no evidence the infiltration had netted key consumer data, such as social security numbers or debit card codes.
Marriott’s statement did not mention the earlier Starwood disclosure.
Marriott said it would reach out to victims of the hack and was offering support to those affected including free, one-year enrolment in WebWatcher, a service which monitors internet sites where personal data is shared.
Marriott also is working with law enforcement and security experts to tighten security on its system.
Besides New York, prosecutors in Pennsylvania and Maryland are probing the incident. Federal officials also are monitoring the episode. “The FBI is aware of the reporting and tracking the situation as appropriate,” a spokesman said. “Individuals contacted by the company should take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.”
It is the latest case among the massive breaches that have compromised personal data and that can cause years of headaches for victims, who often face serious legal and financial repercussions. The largest known hack hit some three billion Yahoo accounts in 2013 and 2014.
Marriott said it was “premature” to estimate the financial hit from the breach and that it carried cyber insurance that could take care of some of the costs.
“The company does not believe this incident will impact its long-term financial health,” the hotel company said in a securities filing.
Marriott likely faces a near-term reputational hit from the incident, although it is mitigated somewhat by the fact that the breach has been confined to the Starwood properties and not to the Marriott brand itself, said a note from Goldman Sachs. “Experiences from retailers would suggest that traffic and share loss do occur but tend to be short-lived, especially if consumers believe they are safer after the breach has occurred,” Goldman Sachs said.
Shares of Marriott ended down 5.6 percent at $115.03.