Marriott press release / CSO Online / FTC / NY AG

📅 2014-01-01 🏢 Starwood Hotels guest reservation system 🦠 Remote Access Trojan (name undisclosed)

Incident Details

Chinese state-sponsored hackers (linked to PLA) compromised Starwood Hotels reservation system as early as 2014, 2 years before Marriott acquired Starwood (2016). Breach persisted undetected until internal security tool flagged suspicious access Sept 8 2018. Up to 500M records exposed (revised to 383M); included names, addresses, phone, email, DOBs, passport numbers (5.25M unencrypted), encrypted payment cards. FTC action 2024. $52M multi-state settlement 2024. Highlights M&A cybersecurity due diligence failures.

Technical Details

Initial Attack Vector: CWE-506: Embedded Malicious Code / Remote Access Trojan deployed in Starwood network prior to Marriott acquisition
Vendor / Product: Starwood Hotels guest reservation system
Malware Family: Remote Access Trojan (name undisclosed)

Timeline

2014-01-01 Breach occurred
2018-11-30 Publicly disclosed
2018-11-30 Customers notified