327 million Marriott guests affected in Starwood Data Breach

Pierluigi Paganini November 30, 2018

Starwood Data Breach – Hackers accessed the guest reservation system of the Marriot owned Starwood since 2014 and copied and encrypted the information.

Marriott International is the last victim of a long string of data breaches, the company announced that hackers compromised guest reservation database at its subsidiary Starwood hotels and stolen personal details of about 500 million guests.

“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.” reads the data breach notification published by Marriot.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

This is one of the largest data breaches in history, the biggest one for the hospitality industry.

Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.

The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.

The investigation in the Starwood Data Breach revealed that stolen data also includes financial data, payment card numbers and payment card expiration dates were exposed, even if in an encrypted format.

“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” continues the data breach notification.

“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

According to Marriott, hackers did not access the Marriott network.

The company reported the incident to the law enforcement and data protection authorities, it is also notifying potentially impacted customers.

According to the EU General Data Protection Regulation (GDPR) regulation, Marriott could face a maximum fine of 20 million euros or 4 percent of its annual global revenue if data protection authorities

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – Starwood Data Breach, Marriot)

[adrotate banner=”5″]

[adrotate banner=”13″]

data breach Hacking Marriot Pierluigi Paganini Security Affairs Starwood

Pierluigi Paganini July 13, 2025

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

Pierluigi Paganini July 13, 2025