11月30日晚间消息，万豪国际酒店集团(Marriott International)刚刚宣布，旗下喜达屋酒店(Starwood Hotel)的一个顾客预订数据库被黑客入侵，可能有约5亿顾客的信息泄露。
Hackers have had access to the Starwood guest reservation database since 2014.
Marriott said forensic experts managed to decrypt the data attackers stole from the Starwood guest reservation database earlier this month, on November 19.
They said the attackers exfiltrated information on up to approximately 500 million guests who made a reservation at a Starwood property.
The Starwood hotel chain, which Marriott acquired in 2016, includes other hotel brands, such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Investigators said that for 327 million of the Starwood guests, the information that attackers stole included a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some of these guests, payment card data was also stolen, but Marriott did not say for how many.
"For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)," the hotel said today in an SEC filing.
"There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken," the hotel chain added.
For the rest, up to 500 million, the data only included a name, and sometimes other info such as mailing address, email address, or other information.
Marriott started today notifying all affected guests via email. Hotel guests will also be able to visit a website that will be available later today at info.starwoodhotels.com for information about the incident. Where eligible, some users will also be able to enroll in a free identity monitoring service.
"We deeply regret this incident happened," said Arne Sorenson, Marriott's President and Chief Executive Officer. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
"Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network," Sorenson added.
This is the third breach affecting Marriott's Starwood chain after the infections with Point-of-Sale (PoS) malware disclosed in 2015 and again in 2016.