Marriott International

Days After Massive Breach, Marriott Customers Await Details

Nearly a week after Marriott disclosed a massive breach of its Starwood reservation system, customers complain that the company has not communicated with them to tell them whether they are affected. Marriott says it is sending “rolling” emails to hundreds of millions of victims.*

An estimated 500 million Marriott International customers had their information stolen by hackers sometime within the last four years. But almost a week after the company disclosed that theft, many of those victims are still waiting from an official acknowledgement from the company that their information was stolen.

Customers of the company’s Starwood hotel chain complained in online forums that they had heard nothing from the company about whether their information was stolen by the hackers, who are believed to have lurked on Starwood’s network for more than four years. A Marriott spokesperson noted that the company communicated about the breach “through multiple channels” and says it began sending emails “on a rolling basis” November 30 to affected guests.

See Podcast Episode 123: HaveIBeenPwned’s Troy Hunt on Marriott’s Big Mess and GreatHorn on the Asymmetric Threat of Email

However, by Thursday, almost a full week after disclosing the breach, the rolling emails hadn’t reached Tom Williams of Athol, Massachusetts, who said he had received “nothing” from Marriott or Starwood, where he has been a member since 2016. “Nothing. Pretty lame,” wrote Brian Colker, of Santa Monica, California. Colker said he changed his Starwood password only after receiving an alert about the breach from password management software he uses.  An informal Facebook poll of around 30 Starwood customers by Security Ledger Wednesday and Thursday found just two who had been notified by the company.

Online, Starwood customers took to Twitter to ask the company when they would be learning of their fate.

Marriott’s spokesman declined to say how many customers had been notified as of Thursday. The company said it “engaged leading security experts” after learning of the breach to “help determine what occurred,” the spokesman said.

The company shared a copy of the letter it is sending to customers (PDF). Signed by Marriott CEO Arne Sorenson, it is mostly a rehash of the company’s public statement on the incident. It also contains advice on preventing identity theft and, for U.S. residents, links to credit bureaus and state attorneys general offices. The company said it is “working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center.”

Marriott International
A week after announcing a massive hack of its guest reservation system, Marriott still hasn’t notified most victims of the hack.

Notifications to customers typically precede or follow shortly on the heels of public announcements of data breaches and it is unclear what is responsible for Marriott International’s delays. The company indicated in its press release on Friday that it is still identifying “duplicate” information in the trove of customer data it caught hackers shepherding off the organization’s network.

Whatever the cause, the delays could be expensive. Under the EU General Data Privacy Regulation (GDPR) Article 51, breached firms are required to notify “supervisory authorities” within their country within 72 hours of discovering the leak. The guidelines for notifying affected individuals are less specific, but also unequivocal. GDPR Article 34 requires breached firms to notify victims “without undue delay” when the stolen data is “likely to result in a high risk to the rights and freedoms of natural persons.”

Speaking to The Security Ledger earlier in the week, Vanessa Henri of Hitachi Systems Security noted that the clock to notify in GDPR starts with awareness of the incident, which Marriott says that it first detected the breach on September 8, 2018. The company did not confirm that customer data had been stolen until November 19. Under the strict timelines established by GDPR, either date is likely to be trouble for the company if it has not acted in compliance with the law and notified data regulation authorities or its customers. That, in turn, could invite stiff civil penalties as well as lawsuits.

“There is certainly a fine balancing act that firms must maintain,” wrote Mark Sangster, Chief Security Strategist at the firm eSentire, in an email to Security Ledger. Companies need time to plan their response and formulate their communications strategy, investigate the incident and do incident response, he noted. However, companies should also be prepared for the eventuality of a breach with a “well-honed and tested incident response and notification plan” that results in prompt notification. Given civil, class action suits filed in the U.S., investigations by the federal government and states attorney general and the attention of EU regulators, the Marriott breach will likely help establish a benchmark for notification times, “based on findings by the New York Attorney General, GDPR, and the Office of Civil Rights,” Sangster wrote.

While Marriott has not discussed the source of the compromise, a report from Reuters suggests the incident may be part of an intelligence gathering operation carried out by the government of China. Among other things, Marriott is providing a free subscription to the WebWatcher online monitoring service for a year. Customers affected by the breach can learn more about signing up at info.starwoodhotels.com. 

(*) Editor’s note: added comments by Mark Sangster of eSentire. – PFR 12/6/2018