Four Years Undetected
In November 2018, Marriott International announced that its Starwood guest reservation database had been breached. The compromise affected up to 500 million guests and had been ongoing since 2014 — two years before Marriott even acquired Starwood.
This meant that when Marriott bought Starwood Hotels & Resorts for $13.6 billion in 2016, they also inherited a massive, undetected security breach.
What Was Taken
For approximately 327 million guests, the stolen data included:
- Names, mailing addresses, and email addresses
- Phone numbers and dates of birth
- Passport numbers for millions of travelers
- Starwood Preferred Guest account details
- Arrival and departure dates and reservation details
- Credit card numbers and expiration dates (encrypted, but the decryption keys may have also been stolen)
The remaining guests had limited combinations of name, address, and email exposed.
Why Travel Data Is Uniquely Dangerous
Stolen hotel reservation data reveals more than just contact information. It creates a detailed map of a person's movements over time. For high-value targets — government officials, executives, journalists — this travel history is extremely valuable intelligence.
The breach was widely attributed to Chinese state-sponsored hackers, though China denied involvement. The passport numbers alone made this breach a counterintelligence nightmare.
The Acquisition Problem
The Marriott breach highlights a risk that many companies overlook: cybersecurity due diligence in mergers and acquisitions.
When Marriott acquired Starwood, the breach was already two years old. The attackers had persistent access to the reservation system, and no one caught it during the acquisition process. It took another two years after the merger before an internal security tool flagged suspicious database queries.
Financial and Legal Consequences
- GDPR fine — The UK's Information Commissioner's Office fined Marriott £18.4 million under GDPR
- Class action settlements — Marriott settled for $52 million in a multi-state attorney general investigation
- Customer compensation — affected guests were offered identity monitoring and a free WebWatcher subscription
Key Takeaways
- Mergers create hidden risk. Always conduct thorough security audits before acquiring another company's infrastructure.
- Long dwell times are common. The median time to detect a breach globally is still measured in months, not days.
- Passport numbers can't be reset. Unlike passwords, your passport number is a long-term identifier that's expensive and time-consuming to change.
- Encrypted data isn't always safe. If attackers also steal the encryption keys, the encryption provides no protection.
Search for your information on LeakedSource to check whether your hotel booking data has been exposed in this or other breaches.