Of the 153 Marriott-owned hotels in the Middle East, 125 can be booked through the Starwood Hotels reservation system, the site of a hack that accessed up to 500 million customer records, exposing data including passport numbers and payment cards in a breach of the world’s largest hotel operator.
Marriott,based in Maryland, US, said on its website that it had started to inform affected guests about the breach on Friday, and that it had reported it to law enforcement and regulatory authorities. Two spokesmen for the brand in the Middle East could not be reached for comment. Calls to the UAE-specific customer hotline on Saturday went unanswered.
The breach comes amid a rapid expansion for the hotel operator in the region. Over the next five years, the chain will add 20 more properties in the UAE, in addition to the 57 already open. In Saudi Arabia, Marriott is planning a $2 billion investment over five years for 27 hotels on top of the 25 currently in operation.
Starwood brands with properties in the Middle East include W Hotels, St Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, The Edition, Aloft Hotels, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Its most recent opening is The Edition Abu Dhabi in Al Bateen last month.
The hack began in 2014, according to Marriott, a year before the company offered to buy Starwood to create the world's largest hotel operator. The $13.6bn deal closed in September 2016.
_________________
Read more:
[ Marriott data breach: practical advice from a cybersecurity expert ]
[ Marriott hotels cyber attack: privacy of 500 million guests compromised ]
A reformed hacker shares his tips on how to stay safe online
_________________
The company said on its website that it learned of the breach on September 8 when an internal security tool sent an alert about suspicious activity. In its quarterly filing dated November 6, Marriott added a warning about security breaches to its disclosures without providing details on specific attacks, Bloomberg reported.
Some 327 million customer records containing information including passport details, birth dates, addresses, phone numbers and email addresses were exposed, according to the company.
The hackers also accessed payment card data for an undisclosed number of customers, the company said.
Marriott shares plunged on Friday, falling as much as 6 per cent before ending the day 5.6 per cent down, shaving about $2.4 billion off equity value, while investigators in the UK and five states in the US opened inquiries into the cyber breach.
Morgan Stanley analyst Thomas Allen called the huge sell-off in Marriott (MAR) shares “an overreaction”, saying that a 2 to 3 per cent impact would have been more appropriate. Data breaches typically cost $1 per customer in notification and other services, according to Insurance Insider, and Mr Allen estimated potential fines and/or settlements of about $200 million for Marriott. Insurance Insider also reports that sources suggest the company has about $300m of cyber insurance coverage to partially offset losses, Mr Allen said.
“We fell short of what our guests deserve and what we expect of ourselves,” Marriott chief executive Arne Sorenson said on Friday. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
