Marriott on Friday said the hack of the reservation database for its Starwood properties, which involved the theft of personal information on up to 500 million customers, began in 2014 and went undetected until this September.
In 2015, Starwood reported a much smaller breach, in which attackers installed malware on point-of-sale systems in some hotel restaurants and gift shops to siphon off payment-card information. It disclosed the attack four days after Marriott announced a deal to acquire Starwood Hotels & Resorts Worldwide for what ended up being $13.6 billion, creating the No. 1 hotel company globally.
Marriott says that the 2015 incident was different and not related to the attack made public Friday. But security specialists say that while it’s not unusual for breach investigations to miss a second intruder, a more thorough investigation into the 2015 intrusion could have uncovered the attackers, who instead were able to lurk in its reservation system for three more years.
“With all the resources they have, they should have been able to isolate hackers back in 2015,” said Andrei Barysevich, a researcher with the security company Recorded Future Inc.
Obviously, all involved would have preferred that this incident had been identified earlier,” a Marriott spokeswoman said Sunday via email. “When there is a concern that payment cards are at risk, forensic investigations start looking at devices that process payment cards and follow the evidence from there.”
The spokeswoman declined to comment on the 2015 investigation, saying it happened before Marriott had acquired the company. Starwood said at the time that it didn’t think that attack affected its guest reservation system.
The newly disclosed data theft is rivaled in its scope only by hacks against Yahoo in 2014 and 2013 that stole data on 500 million and three billion users, respectively. It threatens to damage Marriott’s reputation at a time when its dominance is being challenged not only by traditional rivals but also upstarts like Airbnb Inc.
Marriott as of Sunday was still sorting through the attack’s cause and impact. It said it first received a security alert on Sept. 8, and moved quickly to notify customers and regulators after determining on Nov. 19 that the hackers acquired information in the Starwood reservation database.
For about 327 million customers, the hackers may have gained access to passport numbers, travel details and, in some cases, credit-card information, as well as names and addresses, it said. Investigators also found a file of about 170 million customers created by the hackers that contains much less information, the company said Sunday.
Marriott began sending out emails to customers on Friday, a process that will take weeks. Some customers complained that they couldn’t get clear information from Marriott on whether or not they had been affected. Marriott said Sunday it was still identifying duplicate information in the second data file to determine exactly who was affected.
The Federal Bureau of Investigation said it is tracking the Marriott situation and attorneys general in New York, Illinois and Massachusetts have opened investigations.
Several Democrats, including Sens. Mark Warner of Virginia and Elizabeth Warren of Massachusetts, blasted Marriott on Friday and called for national data-breach laws. “CEOs won’t take protecting our data seriously unless their own jobs are on the line,” said Sen. Warren in a Twitter message.
At the time of the 2014 intrusion, hackers were on a hotel spree. By 2015 they had broken into systems at Hilton Worldwide , Trump Hotel Collection, Mandarin Oriental and others.
Attackers target hotels because they hold rich troves of credit-card data, hosted on computers that often are accessible remotely for maintenance purposes, and because the industry generally has had lax protections, experts say. “The hospitality industry has never been at the forefront of security,” said Vincent Liu, a partner with the security consulting firm Bishop Fox.
Other watershed breaches—the 2013 hack at Target Corp. and the 2014 break-in at Sony Pictures Entertainment Inc.—gained widespread attention and spurred industrywide efforts to shore up computer security weaknesses, Mr. Liu said. “Maybe this is something that will resonate through the boardrooms of the hospitality industry,” he added.
While those incidents did lead to increased corporate spending on computer security, they prompted no substantial action by Congress.
In 2011, Starwood finished a 10-year project code-named Valhalla to upgrade its reservation system, a massive centralized database used to book and hold reservations for the company’s approximately 370,000 rooms spread across nearly 1,300 properties under different brands in about 100 countries.
The hotels used a range of different payment and property-management systems assembled from Starwood’s many acquisitions, making the global computer network difficult to secure, according to former Starwood employees.
“It’s a juicy place to attack,” said Paul West, a hotel industry consultant who advises on cyber insurance and risk management. The payment systems, in particular, are often vulnerable to attack. “Some of these places, like a little tiki bar in some resort, sometimes those systems are left unattended,” Mr. West said.
The hackers in the 2015 incident had been lurking in Starwood’s networks for nearly eight months when they were detected, the company said at the time. Initially, the company said that 54 hotels had been breached, but two months later said the more than 100 hotels were hit.
Starwood said in a November 2015 statement that it had hired outside forensic experts to conduct an “extensive investigation” into that breach, and that there was no indication its guest reservation or Starwood Preferred Guest membership systems were affected. “We want to assure our customers that we have implemented additional security measures to help prevent this type of crime from reoccurring,” an executive said in the statement.
The attackers in the newly disclosed breach had already broken into Starwood’s network in 2014, Marriott says. The hackers had created two massive data files lifted from the system and took steps to remove them from the company’s systems. Marriott said it still isn’t sure whether they removed this information from its network.
Security companies and Marriott said Sunday they hadn’t observed the stolen data for sale on criminal marketplaces. That could mean the hackers simply weren’t able to remove their stolen data from Marriott’s network, but given the duration of the breach that seems unlikely, said Recorded Future’s Mr. Barysevich.
Because of the apparent lack of attempts to sell the data and its sensitive nature, including passport numbers, some government officials and cyber investigators worry that the hackers may have worked on behalf of a foreign government rather than a criminal organization.
Mr. Barysevich believes that it unlikely. Hackers often don’t sell stolen data until they are sure their breach is discovered, to forestall the intruders from being ejected from a network, he said. “We think that the data will released,” he said.