Marriott data breach: how are customers in the Middle East affected?

Marriott International said on Friday that hackers accessed up to 500 million customer records

A logo is displayed on a rug outside a Marriott International Inc. hotel in Chicago, Illinois, U.S., on Friday, Nov. 30, 2018. A cyber breach in Starwood's reservation system had allowed unauthorized access to information about as many as 500 million guests since 2014. Photographer: Daniel Acker/Bloomberg
Powered by automated translation

Of the 153 Marriott-owned hotels in the Middle East, 125 can be booked through the Starwood Hotels reservation system, the site of a hack that accessed up to 500 million customer records, exposing data including passport numbers and payment cards in a breach of the world’s largest hotel operator.

Marriott,based in Maryland, US, said on its website that it had started to inform affected guests about the breach on Friday, and that it had reported it to law enforcement and regulatory authorities. Two spokesmen for the brand in the Middle East could not be reached for comment. Calls to the UAE-specific customer hotline on Saturday went unanswered.

The breach comes amid a rapid expansion for the hotel operator in the region. Over the next five years, the chain will add 20 more properties in the UAE, in addition to the 57 already open. In Saudi Arabia, Marriott is planning a $2 billion investment over five years for 27 hotels on top of the 25 currently in operation.

Starwood brands with properties in the Middle East include W Hotels, St Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, The Edition, Aloft Hotels, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Its most recent opening is The Edition Abu Dhabi in Al Bateen last month.

The hack began in 2014, according to Marriott, a year before the company offered to buy Starwood to create the world's largest hotel operator. The $13.6bn deal closed in September 2016.


Read more:

A reformed hacker shares his tips on how to stay safe online


The company said on its website that it learned of the breach on September 8 when an internal security tool sent an alert about suspicious activity. In its quarterly filing dated November 6, Marriott added a warning about security breaches to its disclosures without providing details on specific attacks, Bloomberg reported.

Some 327 million customer records containing information including passport details, birth dates, addresses, phone numbers and email addresses were exposed, according to the company.

The hackers also accessed payment card data for an undisclosed number of customers, the company said.

Marriott shares plunged on Friday, falling as much as 6 per cent before ending the day 5.6 per cent down, shaving about $2.4 billion off equity value, while investigators in the UK and five states in the US opened inquiries into the cyber breach.

Morgan Stanley analyst Thomas Allen called the huge sell-off in Marriott (MAR) shares “an overreaction”, saying that a 2 to 3 per cent impact would have been more appropriate. Data breaches typically cost $1 per customer in notification and other services, according to Insurance Insider, and Mr Allen estimated potential fines and/or settlements of about $200 million for Marriott. Insurance Insider also reports that sources suggest the company has about $300m of cyber insurance coverage to partially offset losses, Mr Allen said.

“We fell short of what our guests deserve and what we expect of ourselves,” Marriott chief executive Arne Sorenson said on Friday. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”