Marriott International Chief Executive Arne Sorenson apologised on Thursday before a US Senate panel for a massive data breach involving up to 383 million guests in its Starwood hotels reservation system and vowed to protect against future attacks.
Sorenson told the Senate Permanent Subcommittee on Investigations that the hacking, which occurred over a four-year period, prompted the company to accelerate the retirement of the Starwood reservation system that was completed in December. He said the company first became aware of a security issue in September 2018, notified the FBI in October and disclosed the issue publicly on Nov. 30.
Committee Chairman Rob Portman noted that Starwood said it had discovered malware in November 2015 on some systems designed to steal credit card information but Starwood said at the time it “did not impact its guest reservation database.”
Sorenson said there was evidence of an unauthorised party on the Starwood network since July 2014 but “our investigators had found no evidence the attacker had accessed guest data” through mid-November 2018.
Sorenson said since October Marriott has provided the FBI with “several updates and ready access to forensic findings and information to support their investigation.”
Sorenson said the company has not received any substantiated claims of loss from fraud attributable to the incident. Sorenson did not identify where the attackers were based but Reuters reported in December hackers left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter.
Marriott disclosed on November 30 it had discovered its Starwood hotels reservation database had been hacked over a four-year period in one of the largest breaches in history. At least five US states and the United Kingdom’s Information Commissioner’s Office are investigating the attack.
Marriott offered to buy Starwood in 2015, a year before the hack started, and closed the $13.6 billion deal in September 2016.
Senator Tom Carper, the top Democrat on the panel, said the “incident also raises questions about the degree to which cyber-security concerns do and should play a role in merger and acquisition decisions.”
Carper said Marriott acquired a company with “serious cyber-security challenges and had actually been attacked before” but chose to initially leave Starwood’s security system in place after acquiring it.
Marriott initially said records of up to 500 million guests were involved and in January revised its estimate to up to 383 million.