Marriott International CEO Arne Sorenson has apologised before a US Senate panel for a vast data breach affecting up to 383 million Starwood hotels guests and has vowed to protect against future security attacks.
Sorenson told the Senate Permanent Subcommittee on Investigations there was evidence of an unauthorised party on the Starwood network since July 2014 but the company’s investigators had “found no evidence the attacker had accessed guest data” until late last year.
Marriott bought Starwood for $13.6 billion in September 2016.
Senator Tom Carper said the incident “raises questions about the degree to which cyber-security concerns do and should play a role in merger and acquisition decisions”.
Carper said Marriott acquired a company with “serious cyber-security challenges and had actually been attacked before” but chose to initially leave Starwood’s security system in place after acquiring it.
The breach prompted Marriott to speed up its retirement of the Starwood system, completing the process last December.
Sorenson said the company first became aware of a security issue in September 2018, notified the FBI in October and disclosed the issue publicly on November 30.
The four-year breach is one of the largest ever seen, and while the location of the attackers is yet to be publicly disclosed, Reuters reported in December that sources believed clues left by the hackers suggesting they were working for a Chinese government intelligence gathering operation.
Committee chairperson Rob Portman noted that Starwood said it had discovered malware in November 2015 on some systems designed to steal credit card information, but the group said at the time it did not impact its guest reservation database.
Sorenson said since October Marriott has provided the FBI with “several updates and ready access to forensic findings and information to support their investigation”.
He said the company has not received any substantiated claims of loss from fraud attributable to the incident.
Marriott initially believed the records of up to 500 million guests were affected but has since revised down that figure to around 383 million.
Some five US states and the UK Information Commissioner’s Office are investigating the attack.