The California Office of the Attorney General disclosed a major **data breach** at **Marriott International, Inc.** on **November 30, 2018**, stemming from an unauthorized access to the **Starwood guest reservation database**. The breach, which began **on or before September 10, 2018**, exposed the records of approximately **500 million guests**, with **327 million individuals** having sensitive personal data compromised. This included **names, mailing addresses, email addresses, and encrypted payment card numbers**, though the encryption status of the latter was not confirmed to be broken. The incident originated from a vulnerability in Starwood’s systems, which Marriott had acquired in 2016, highlighting a failure in post-merger cybersecurity integration. The breach posed severe risks of **identity theft, financial fraud, and reputational damage**, given the scale and sensitivity of the exposed data. Regulatory investigations followed, with Marriott facing significant legal and financial repercussions, including fines under **GDPR** and other data protection laws. The incident underscored critical gaps in **third-party risk management** and the protection of customer data in large-scale corporate acquisitions.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-142258
TPRM report: https://www.rankiteo.com/company/marriott-international
"id": "mar019090625",
"linkid": "marriott-international",
"type": "Breach",
"date": "6/2016",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Approximately 500 million (327 '
'million with detailed records '
'exposed)',
'industry': 'Hospitality',
'location': 'Global (Headquartered in Bethesda, '
'Maryland, USA)',
'name': 'Marriott International, Inc.',
'size': 'Large (Fortune 500 company)',
'type': 'Hospitality Corporation'}],
'data_breach': {'data_encryption': 'Payment card numbers were encrypted; '
'other data (e.g., names, addresses) '
'likely unencrypted',
'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Up to 500 million (327 million '
'with sensitive details)',
'personally_identifiable_information': ['Names',
'Addresses',
'Email addresses'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Payment card information '
'(encrypted)']},
'date_detected': '2018-09-10',
'date_publicly_disclosed': '2018-11-30',
'description': 'The California Office of the Attorney General reported a data '
'breach at Marriott International, Inc. involving the Starwood '
'guest reservation database. The breach occurred on or before '
'September 10, 2018, and could potentially affect '
"approximately 500 million guests, with 327 million guests' "
'information including names, addresses, email addresses, and '
'encrypted payment card numbers.',
'impact': {'brand_reputation_impact': 'High (due to scale of breach and '
'sensitive data exposure)',
'data_compromised': ['Names',
'Addresses',
'Email addresses',
'Encrypted payment card numbers'],
'identity_theft_risk': 'High (due to exposure of PII)',
'payment_information_risk': 'Moderate (payment card numbers were '
'encrypted)',
'systems_affected': ['Starwood guest reservation database']},
'initial_access_broker': {'high_value_targets': ['Starwood guest reservation '
'database']},
'references': [{'date_accessed': '2018-11-30',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential violations of '
'GDPR (for EU guests)',
'California Consumer '
'Privacy Act (CCPA) '
'considerations'],
'regulatory_notifications': 'Reported to California '
'Office of the Attorney '
'General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Marriott International (Starwood) Data Breach',
'type': 'Data Breach'}