A Marriott Hotels data breach has been discovered which could impact up to 500 million customer who previously made bookings at Starwood Hotels and Resorts. While the data breach is not the biggest ever reported – the 2013 Yahoo breach exposed up to  3 billion records – it is the second largest ever side by side with the 2014 Yahoo data breach that also impacted around half a billion users.

The Marriott data breach may not have impacted as many Internet users as the 2013 Yahoo data breach but due to the range of information stolen it is arguably more serious. Almost 173 million individuals have had their name, mailing address, email address stolen and around 327 million customers have had a combination of their name, address, phone number, email address, date of birth, gender, passport number, booking data, arrival and departure dates, and Starwood Guest Program (SPG) account numbers illegally taken. Additionally, Marriott also believes credit card details may have been illegally taken. While the credit card numbers were encrypted, Marriott cannot outright confirm whether the two pieces of data required to decrypt the credit card numbers was also taken by the hacker.

Along with to past guests at Starwood Hotels and Resorts and Starwood-branded timeshare properties, guests at Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels, St. Regis, Aloft Hotels, Element Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, and Four Points by Sheraton have been infiltrated, along with guests at Design Hotels that registered for the SPG program.

The data breach was discovered by Marriott on September 8, 2018, following an attempt by an unauthorized person to access the Starwood database. The investigation showed that the cybercriminal behind the attack first gained access to the Starwood database in 2014. It is currently not public knowledge how access to the database was obtained.

The Marriott hotels data breach is extremely serious and will prove massively expensive for the hotel group. Marriott has already offered U.S. based victims free enrollment in WebWatcher, has paid for third party experts to review and help address the data breach, and the hotel group will be strengthening its security and phasing out Starwood databases.

Even though the Marriott hotels data breach has only just been made public, two class action lawsuits have already been filed. One of the lawsuits seeks damages totaling $12.5 billion – $25 per person impacted.

There is also the chance that a E.U. General Data Protection Regulation (GDPR) fine. Fines of up to €20 million can be sanctioned, or 4% of global annual revenue, whichever is greater. That could place Marriott at risk of a $916 million (€807 million) penalty. The UK’s Information Commissioner’s Office – the GDPR supervisory authority in the UK – has been made aware of the breach and is making enquiries.

Danger of Marriott Data Breach Related Phishing Attacks

A phishing attack has sent email notifications have been shared with to those impacted by the breach by Marriott. They were sent from the domain: email-marriott.com. Rendition Infosec/FireEye researchers bought the domains email-marriot.com and email.mariott.com just after after the announcement to keep them out of the hands of hackers. Other similar domains may be bought up by less scrupulous individuals to be used for phishing attacks.

A breach of this extent is also ideal for speculative phishing attempts that spoof the email domain owen by Marriott. Mass email campaigns will likely to be shared randomly in the hope that they will reach breach victims or individuals that have stayed at a Marriott hotel or one of its associated brands on a previous occasion.