Hotel chain's four-year security lapse compromised passport numbers, addresses, and payment data across Starwood properties worldwide
Marriott International disclosed one of history's largest data breaches on November 30, 2018, revealing that hackers had infiltrated its Starwood guest reservation database—initially estimated to affect up to 500 million guests, later revised to approximately 383 million unique guests.
The breach's timeline is striking in its duration. Unauthorized access to the Starwood system began in 2014, meaning attackers maintained access for roughly four years before detection. Marriott, which acquired Starwood Hotels in 2016, didn't discover the suspicious activity until September 8, 2018. The breach was confirmed on November 19, 2018, and publicly announced just 11 days later.
The compromised data reveals the scope of exposure. For the 383 million affected guests, hackers obtained names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure dates, reservation dates, and communication preferences. For an undisclosed subset of guests, attackers also accessed encrypted credit card numbers and expiration dates—protected with AES-128 encryption, though whether encryption keys were compromised remains unclear.
Beginn des Hackerangriffs
Unbekannte Hacker verschaffen sich erstmals Zugang zum Reservierungssystem von Starwood Hotels
Bekanntgabe des Datenlecks
Marriott informiert die Öffentlichkeit über den massiven Datendiebstahl, der 500 Millionen Hotelgäste betrifft
Cybersecurity experts highlighted the gravity of what was exposed. Dan Guido, founder of Trail of Bits, described the breach as "massive" because attackers obtained particularly sensitive data: passport numbers and detailed travel histories. Tim Johnson, cyber correspondent for McClatchy Newspapers, emphasized that such information opens victims to serious threats including spear-phishing attacks and identity theft.
The breach exposed critical security failures within Marriott's infrastructure. Investigators found that the company lacked adequate network segmentation and insufficient monitoring systems—basic controls that would have detected the intrusion far sooner. Attackers didn't just access the database; they encrypted and exfiltrated a complete copy of the guest data, ensuring they could retain information even if the company later secured the system.
Marriott's response began once the breach was confirmed. The company hired third-party forensic investigators to assess the damage and took steps to stop further data exfiltration. Starting November 30, 2018, Marriott notified affected customers of the compromise. In the United States, victims were offered a "Web Watcher" tool for monitoring suspicious activity, fraud consultation services, and reimbursement assistance—though these protections were not uniformly available across all countries.
The legal consequences have extended far beyond 2018. The breach faced expected scrutiny under the European Union's General Data Protection Regulation (GDPR) due to Marriott's delayed disclosure to affected parties and regulators. In October 2024, the U.S. Federal Trade Commission took enforcement action against Marriott, citing the company's security failures in this and related breaches.
No individual hackers have been publicly identified or prosecuted in connection with the Starwood breach. The attack remains attributed to unidentified threat actors who exploited Marriott's weak security infrastructure to gain access to one of the hospitality industry's largest guest databases.
The Marriott Starwood breach stands as a cautionary tale about the consequences of inadequate cybersecurity investment and delayed threat detection in large organizations handling sensitive traveler information.