Starwood Hotels Massive Database Breach Affecting 500 Million Guests

Starwood Hotels and Resorts, a subsidiary of Marriott, has announced that their reservation database has been breached and personal information of approximately 500 million guests was obtained. The database contains personal information, including name, email, passport numbers and dates of stays. Credit card information was in the database but this was encrypted, but Starwood did note that the encryption keys could have been stolen during this breach.

The attacker had access from 2014, but this is the only known instance of their access being used to obtain any meaningful data. However, it is early in the investigation and thus further breaches could be found.

For end users, protection of this kind of data is mainly done via obfuscation. For instance, using a pseudonym when checking in can help prevent such breaches from disclosing your movement. Also, using a virtual card number when checking in can completely stop unauthorized use of your credit card, even if the virtual card number is discovered.

For businesses, this could be mitigated fairly simply with two methods. First would be restrict inbound access from the internet to services like RDP, where security is at best a tertiary concern within the protocol. Second is to utilize a robust SIEM with regular access auditing to find threats before they start having annual birthdays.

Anyone who made a reservation on or before September 10th at a Starwood property would be included in this breach. Starwood has set up a site, answers.kroll.com, to provide information to anyone concerned that they may have been involved. They are also providing free access to WebWatcher for one year to anyone affected. WebWatcher is a service that monitors for PII appearing on sites that sell and distribute such data. It does not include credit monitoring.