Log in
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 

MarketScreener Homepage  >  Equities  >  Nasdaq  >  Marriott International    MAR


News SummaryMost relevantAll newsPress ReleasesOfficial PublicationsSector newsMarketScreener StrategiesAnalyst Recommendations

Marriott Says Starwood Data Breach Affects up to 500 Million People--10th Update

share with twitter share with LinkedIn share with facebook
share via e-mail
11/30/2018 | 08:17pm EST

By Aisha Al-Muslim, Dustin Volz and Kimberly Chin

Marriott International Inc. on Friday disclosed one of the biggest data breaches in history, a hack in the reservation database for its Starwood properties that may have exposed the personal information of up to 500 million guests.

News of the attack -- rivaled only by the theft of information in 2013 and 2014 from internet company Yahoo -- roiled customers of the world's largest hotel company and lowered its stock price.

In addition to the size of the Marriott exposure, security analysts say the range of customer data potentially compromised -- such as passport numbers, travel details and payment-card data -- make the breach even more sensitive. Numerous regulators in the U.S. and abroad said they are monitoring the situation.

"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward," said Marriott Chief Executive Arne Sorenson, who led the company's $13.6 billion acquisition of Starwood Hotels & Resorts Worldwide in 2016.

Marriott, which has more than 6,700 properties world-wide under 30 hotel brands, declined to make company executives available for interviews Friday.

The breach affected only Starwood hotel properties, said Marriott, which had previously hit snags integrating that business.

Starwood brands account for about a third of the company's total collection. They include Sheraton, W Hotels, Westin, Le Méridien, Four Points by Sheraton, Aloft, St. Regis, Element, The Luxury Collection, Tribute Portfolio, and Design Hotels.

Marriott, whose other brands include the Ritz-Carlton and Renaissance, has been unifying its reservation system, and by year-end the Starwood system will no longer exist, a company spokeswoman said.

Bethesda, Md.-based Marriott said an internal security tool alerted it to a potential breach on Sept. 8. After an investigation, the company found that the Starwood guest database may have been compromised since 2014. The database contained information for guests who made reservations on or before Sept. 10 at Starwood hotels globally.

Marriott warned that for roughly two-thirds -- or 327 million -- of the guests potentially affected, an unauthorized party may have gained access to names, passport numbers and travel details. The company said that in some cases payment-card numbers are typically encrypted, though it couldn't rule out that card information was stolen.

The company found the hacker had copied the information and encrypted it for extraction before attempting to steal it, though it wasn't until Nov. 19 that Marriott was able to determine what information may have been accessed.

Marriott said it has been working with law enforcement and regulatory authorities regarding the breach.

A Federal Bureau of Investigation spokeswoman said the agency is tracking the situation and by late Friday attorneys general in several states, including New York, Illinois and Massachusetts, said they had opened investigations.

Marriott will face scrutiny from regulators, particularly in Europe where the European Union's General Data Protection Regulation privacy law took effect in May, said Travis LeBlanc, a partner with Boies Schiller Flexner LLP. Although the Starwood breach predates GDPR, Mr. LeBlanc said because the unauthorized activity continued after the law went into effect, the incident would likely be subject to it.

Britain's Information Commissioner's Office, which can fine companies for failing to protect customers' personal data, also is investigating. This year, the office fined major companies including Facebook Inc. and Uber Technologies Inc. for mishandling data.

Shares of Marriott fell 5.6% Friday and are down more than 9% over the past 12 months.

The Marriott hack joins a list of breaches to hit the hospitality industry in recent years. Security analysts say the industry is a ripe target for criminal actors because of the wealth of financial and other information flowing through payment and reservation systems. It also is a highly fragmented business, in which large companies such as Marriott and Hilton Worldwide Holdings Inc. largely license their brands to property owners who manage the hotels.

In 2015, Starwood said hackers had stolen payment-card information during a data breach that lasted nearly eight months at 54 locations. Hilton, InterContinental Hotels Group and the Trump Hotel Collection also have reported data breaches in recent years.

Based on the number of individuals potentially affected, only Yahoo's breach in 2013 -- impacting three billion people, or nearly the entirety of Yahoo's user base -- may be bigger, security analysts said. The hack of Yahoo in 2014 involved roughly 500 million people.

Hackers often root through computer networks for years without detection. That can make investigating a breach more difficult, as companies often don't retain the full history of systems and network-traffic logs, said Blake Darche, co-founder and chief security officer at the cybersecurity company Area 1 Security.

The size and duration of the Marriott hack also could indicate involvement of a foreign government, but former U.S. intelligence officials cautioned it was too soon to make any conclusions.

The passport information----a data set that is least commonly compromised in commercial breaches----could be especially valuable to spy agencies looking to compile detailed dossiers on international business travelers and government officials.

"There is a risk that these passport numbers can be paired with other useful identifiers," such as social security numbers, home addresses and email password-security answers, said David Weinstein, vice president of threat research at security firm Claroty and a former official at U.S. Cyber Command. Mr. Weinstein said he wasn't aware of any previous theft of such a large number of passport numbers.

Marriott said it would begin Friday to notify affected guests whose email addresses were in the Starwood database. It has set up a website and call center to answer questions about the breach. The company is also providing guests free enrollment for a year in WebWatcher, a service that monitors internet sites where personal information is shared.

"We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network," Mr. Sorenson said.

The data breach adds to problems Marriott has encountered in its integration of Starwood. Travelers have reported problems with hotel stays being credited to loyalty accounts and have complained about customer service not helping when issues were identified.

Marriott merged Starwood's loyalty program with its own Marriott Rewards in mid-August. The program now counts more than 120 million members.

Kaitlyn Seredoka, who has been a Starwood rewards member for two years, said she would likely try to cancel her account. The 31-year-old Oshawa, Ontario, resident said she hadn't been directly contacted about her information being compromised but planned to reach out to the call center after work Friday.

"I'm upset," said Ms. Seredoka, a catering-company manager who says she books stays with Starwood about twice a year. "I give my information assuming it's going to be kept confidential. I don't even know what info they have aside from my cellphone number."

Charles Chan Massey and his husband have been Marriott and Starwood rewards members for more than 15 years and use the hotels frequently for personal and professional trips. Mr. Massey, a corporate meeting and event planner, said neither has been notified directly of the breach, but they have no intention of canceling their memberships.

"It's annoying but the potential for being hacked has become an unfortunate part of 21st century life," said the 54-year-old Los Angeles resident.

The brand and reputational damage Marriott could face from the breach also places a spotlight on the company's examination of Starwood before the takeover deal, said Jeff Pollard, an analyst for Forrester Research Inc.

"With all the M&A occurring, it highlights the importance of robust cybersecurity due diligence during the acquisition process," Mr. Pollard said.

In a Friday regulatory filing, Marriott said that it couldn't yet estimate the financial impact of the data breach. The company, which carries cyber insurance, said it is working with its insurance carriers to assess coverage and it will disclose costs later.

"The company does not believe this incident will impact its long-term financial health," Marriott said in the filing.

Marriott earlier this month trimmed its full-year forecast on a key revenue metric because of weaker demand in North America, its biggest market.

--Robert McMillan, Anne Steele and Stu Woo contributed to this article.

Write to Aisha Al-Muslim at aisha.al-muslim@wsj.com, Dustin Volz at dustin.volz@wsj.com and Kimberly Chin at kimberly.chin@wsj.com

Stocks mentioned in the article
ChangeLast1st jan.
MARRIOTT INTERNATIONAL 0.75% 140.3 Delayed Quote.29.24%
ONE STOP SYSTEMS, INC. -3.78% 1.78 Delayed Quote.-8.25%
RENAISSANCE,INCORPORATED 0.28% 1765 End-of-day quote.-12.49%
UBER TECHNOLOGIES, INC. -1.41% 28.65 Delayed Quote.0.00%
share with twitter share with LinkedIn share with facebook
share via e-mail
12/05MARRIOTT INTERNATIONAL : The Luxury Collection Unveils Debut Property in the Sey..
12/05MARRIOTT INTERNATIONAL : Expected To Debut More Than 30 Luxury Hotels In Establi..
12/05MARRIOTT INTERNATIONAL : Courtyard by Marriott Docks in Hamburg City
12/03MARRIOTT INTERNATIONAL : CFO to Speak At Barclays Gaming, Lodging, Leisure, Rest..
12/03MARRIOTT INTERNATIONAL : Hotel Goldener Hirsch, A Luxury Collection Hotel, Salzb..
12/03MARRIOTT INTERNATIONAL : Courtyard by Marriott Docks in Hamburg City
12/02MARRIOTT INTERNATIONAL : CFO To Speak At Barclays Gaming, Lodging, Leisure, Rest..
12/02MARRIOTT INTERNATIONAL : Hotel Goldener Hirsch, A Luxury Collection Hotel, Salzb..
12/02MARRIOTT INTERNATIONAL : Tom dolan appointed director of sales & marketing at jw..
12/02Tesco Corporate Treasury Services Tender Offer - Final Results
More news
Financials (USD)
Sales 2019 21 139 M
EBIT 2019 2 633 M
Net income 2019 1 601 M
Debt 2019 10 701 M
Yield 2019 1,30%
P/E ratio 2019 31,3x
P/E ratio 2020 21,6x
EV / Sales2019 2,68x
EV / Sales2020 2,60x
Capitalization 45 869 M
Duration : Period :
Marriott International Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends MARRIOTT INTERNATIONAL
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus OUTPERFORM
Number of Analysts 28
Average target price 137,12  $
Last Close Price 140,30  $
Spread / Highest target 17,6%
Spread / Average Target -2,27%
Spread / Lowest Target -12,3%
EPS Revisions
Arne M. Sorenson President, Chief Executive Officer & Director
John Willard Marriott Executive Chairman
Kathleen Kelly Oberg Chief Financial Officer & Executive Vice President
Bruce Hoffmeister Global Chief Information Officer
Lawrence W. Kellner Lead Independent Director
Sector and Competitors
1st jan.Capitalization (M$)
ACCOR4.10%11 396