New York Attorney General Barbara Underwood is investigating a data breach that compromised the data of approximately 500 million persons who made reservations at Marriott International’s Starwood hotels.
A spokeswoman for Underwood’s office confirmed Friday morning that they were looking into the breach and that the company may have violated state law by not notifying the attorney general of the incident.
“We’ve opened an investigation into the Marriott data breach,” said Amy Spitalnick, spokeswoman for Underwood. “Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet.”
Marriott, which announced the data breach early Friday morning, said in a statement that they are working on filing regulatory notices with state authorities following their announcement of the breach.
“We are in the process of completing the filing of all regulatory notices this morning,” a spokesman for Marriott said.
Underwood was among the first state attorneys general to confirm an investigation into the breach Friday morning. The reach of her investigation, and any civil litigation arising from it, would be limited to the breach’s impact on New York residents. The attorney general’s office typically, in situations like these, partners with attorneys general from several states to reach a national settlement for victims of an incident.
The multinational hotel chain is headquartered outside New York in Bethesda, Maryland. Maryland Attorney General Brian Frosh said in a statement Friday morning that his office would be taking a “hard look” at the security incident, though a spokeswoman said they typically do not confirm nor deny active investigations into a company.
“The Marriott data breach is one of the largest and most alarming we’ve seen,” Frosh said. “My office will be taking a hard look at Marriott’s actions to understand the circumstances that led to the breach.”
Frosh also said his office will be working with the company to make sure users affected by the breach are notified. They will also be monitoring the company’s response to the incident, Frosh said.
Marriott announced Friday morning that an investigation that ended nearly two weeks ago had confirmed the data breach. The company launched the investigation after it was informed of a possible security incident by an internal security tool on Sept. 8, according to Marriott. The investigation determined that there had been unauthorized access to the Starwood network since 2014.
The incident compromised the data of 500 million people who made a reservation at one of the company’s Starwood properties on or before Sept. 10, Marriott said. For an unknown number of those customers, the information obtained may have included credit card numbers and their expiration dates. Those were encrypted in the system, Marriott said, but whoever accessed the database may have been able to decrypt them.
About two-thirds of users had other information compromised as well, including their passport number, name, mailing address, phone number, email address, date of birth and gender. The breach also compromised details on their stay at the Starwood property, as well as their account information with the Starwood Preferred Guest program.
The company said it’s already reported the incident to law enforcement and has begun notifying regulatory authorities. As of Friday morning, authorities in New York had not been notified, Spitalnick said.
New York state law requires that a company inform the state’s affected residents when a person acquires their personal computerized data without valid authorization. There are situations, according to the law, where a company may be asked to delay notifying its users if that message would impede a criminal investigation.
When it’s discovered, a security breach has to be reported by a company to three state entities: the attorney general’s office, the state police and the Department of State. The Consumer Frauds and Protection Bureau within the attorney general’s office handles incidents involving a security breach. Marriott had failed to inform any of the three as of Friday morning, according to the attorney general’s office.
The data breach affected customers who stayed at more than a half-dozen of the company’s Starwood properties, including W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood-branded timeshare properties also were impacted.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and CEO. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The company has created a website to address the concerns of users who suspect they may have been affected. That can be found at info.starwoodhotels.com. Customers also may call the company’s call center for the breach, which is at 877-273-9481 for users in the U.S. Marriott also will begin sending emails to affected users on a rolling basis, starting Friday.