November seems to be ending with a bang on the security front. Marriott has been hit with a huge 500 million account data breach.
Large data leaks and breaches has become something of a mini-theme for the month of November. First, we brought you news about the Amazon data leak. In that case, an unknown number of accounts were compromised. Next up was the Brazilian FIESP data leak which exposed at least 35 million accounts. From there, the Malta Lands Authority suffered a data leak which saw 10GB of data exposed. Finally, the United States Postal Service also suffered what we thought would be the largest security incident where 60 million accounts were exposed in a leak. By comparison, those incidents are pretty small for this latest one.
Major hotel chain Marriott today admitted that they were hit with a major data breach. The breach saw a stunning 500 million accounts compromised. From TechCrunch:
Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach.
The hotel and resorts giant said in a statement filed with U.S. regulators that the “unauthorized access” to its guest database was detected on or before September 10 — but may date back as far as 2014.
“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014,” said the statement. “Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
Some 327 million records contained a guest’s name, postal address, phone number, date of birth, gender, email address, passport number, Starwood’s rewards information (including points and balance), arrival and departure information, reservation date and their communication preferences.
Starwood said an unknown number of records contained encrypted credit card data, but has “not been able to rule out” that the components needed to decrypt the data wasn’t also taken.
“Marriott reported this incident to law enforcement and continues to support their investigation,” said the statement.
As the report indicates, the hotel chain also operates within Europe. As such, they run the risk of substantial fines and penalties depending on how they reacted to the breach from the European perspective.
Still, it’s hard to not talk about the size of this breach. For perspective, the largest known breach was the Yahoo! data breach which weighs in at 3 billion accounts. The second largest that we are aware of is the Aadhaar biometric data breach which weighed in at 1 billion accounts. The third largest breach we know of is the Yahoo! 2014 data breach which saw an additional 500 million accounts compromised. The AdultFriendFinder breach struck 412 million accounts. Unless there’s a leak or breach that we’re missing here that is comparable in size, this breach could tie for the third largest breach ever.
While we cannot say the size of the breach is unprecedented, it is still a massive one. Since it is so early on in the case, we don’t even know if the numbers will increase from here once more is known about the breach. Just diagnosing the size of the breach is going to take a while let alone figure out how to resolve the problem.
One thing is for sure, this is going to ruin a lot of people’s days, that’s for sure.