Marriott's Massive Breach: 383 Million Guests Exposed

Marriott International disclosed one of history's largest data breaches on November 30, 2018, revealing that hackers had infiltrated its Starwood guest reservation database—initially estimated to affect up to 500 million guests, later revised to approximately 383 million unique guests.

The breach's timeline is striking in its duration. Unauthorized access to the Starwood system began in 2014, meaning attackers maintained access for roughly four years before detection. Marriott, which acquired Starwood Hotels in 2016, didn't discover the suspicious activity until September 8, 2018. The breach was confirmed on November 19, 2018, and publicly announced just 11 days later.

The compromised data reveals the scope of exposure. For the 383 million affected guests, hackers obtained names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure dates, reservation dates, and communication preferences. For an undisclosed subset of guests, attackers also accessed encrypted credit card numbers and expiration dates—protected with AES-128 encryption, though whether encryption keys were compromised remains unclear.

Cybersecurity experts highlighted the gravity of what was exposed. Dan Guido, founder of Trail of Bits, described the breach as "massive" because attackers obtained particularly sensitive data: passport numbers and detailed travel histories. Tim Johnson, cyber correspondent for McClatchy Newspapers, emphasized that such information opens victims to serious threats including spear-phishing attacks and identity theft.

The breach exposed critical security failures within Marriott's infrastructure. Investigators found that the company lacked adequate network segmentation and insufficient monitoring systems—basic controls that would have detected the intrusion far sooner. Attackers didn't just access the database; they encrypted and exfiltrated a complete copy of the guest data, ensuring they could retain information even if the company later secured the system.