MANHATTAN (CN) – Reports Friday of a record-breaking data breach that compromised the data of up to 500 million Marriott customers triggered New York Attorney General Barbara Underwood to open an investigation.
The hotel group described the breach this morning in a statement, saying that its internal security tool first alerted the company in September of an attempt to access its Starwood guest reservation database.
An expert investigation followed, according to the Marriott’s statement, revealing evidence that there had been unauthorized access to the Starwood network going back to 2014.
The affected hotel brands do not include any Marriott-branded hotel chains, but rather those under the Starwood umbrella: W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points, which Starwood operated before Marriott acquired it in 2016.
Starwood-branded timeshare properties are also included.
Marriott President and CEO Arne Sorenson said the company is still trying to phase out Starwood systems.
A support website set up for anyone who thinks that they are at risk warns that the information of any customer who made a reservation on or before Sept. 10, 2018, for a Starwood property may have been involved in the breach.
Email notifications for those who may have been affected begin rolling out Friday.
Marriott said that hotel guest information that was vulnerable to the breaches included names, mailing addresses, phone numbers, email addresses and passport numbers.
For some Starwood guests, the copied information included payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128); Marriott said it has not yet been able to rule out the possibility that both components needed to decrypt the payment card numbers had been accessed in the breach.
Marriott says it has already begun notifying regulatory authorities.
Shares of Marriott stock plummeted 5 percent at Friday’s opening bell.
Underwood tweeted this morning that her office is not waiting to take action.
“New Yorkers deserve to know that their personal information will be protected,” Underwood wrote.
We’ve opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected.
— NY AG Underwood (@NewYorkStateAG) November 30, 2018
The reach of an investigation by Underwood’s office, and any civil litigation arising from it, would be limited to the breach’s impact on New York residents.
Underwood also posted a link to her office’s “Small Business Guide to Cybersecurity in New York State,” which cautions New Yorkers to practice safe diligent cybersecurity.
“It seems that not a day goes by without news of another data breach,” Underwood wrote in the introduction to the guide. “Tens of millions of records containing New Yorkers’ personal information have been disclosed by some of the nation’s most well-known companies.”
With 500 million customers potentially vulnerable to the hack, the Marriott breach is likely the largest scale breach in history.
One year ago, the Atlanta-based credit-monitoring website Equifax announced in November 2017 that the sensitive information of 143 million Americans had been compromised after “criminals” exploited a U.S. website application to access files during the summer prior.
In November 2017, in the wake of the Equifax breach, Underwood’s predecessor, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act in the state Legislature. Otherwise known as the SHIELD Act, the program bill was sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh.
Also endorsed by Underwood following the Marriott breach, the SHIELD Act would close major gaps in New York’s data-security laws, without putting an undue burden on businesses, Schneiderman said in 2017.
Equifax Inc. agreed this past June to implement stronger data-security measures under a consent order with the New York State Department of Financial Services, in conjunction with state banking regulators from Alabama, California, Georgia, Maine, Massachusetts, North Carolina and Texas.