Marriott’s CEO Apologized Before the Senate for the Data Breach
Marriott's CEO, Arne Sorenson, appeared in front of the US Senate today, testifying in front of the Permanent Subcommittee on Investigations about the 2018 data breach in which personal data from hundreds of millions of user profiles was hacked.
Less than two minutes into his opening statement, Sorenson — the head of the world's largest hotel chain — said he was sorry: "As a company that prides itself on taking care of people, we recognize the gravity of this criminal attack on the Starwood guest reservation database and our responsibility for protecting data concerning our guests. To all of our guests, I sincerely apologize."
After his opening statement, Sorenson was asked questions by a number of senators on the committee. Here is a summary of his answers, giving us some more insight into the data breach:
- On September 7th, an alert was delivered by a cybersecurity tool. Marriott was notified, as was a third-party party vendor that handled some technical aspects of the Starwood reservation system.
- The process to ascertain what data was compromised began immediately. However, it was not until November 19th that Marriott discovered customer data had been stolen.
- When the company learned of the breach, it immediately accelerated the retirement of the Starwood reservations and operations systems.
- Sorenson said that he believes the 11 days between November 19th and when Marriott publicly disclosed the breach on November 30th was an appropriate period of time, in order to provide customers concrete and useful information and to deliver something that Marriott anticipated they would need and want.
- Sorenson used himself as an example of how customers may have been in the Starwood reservations database under more than one entry. He stated that he was listed in the database as Arne Sorenson, Arne M. Sorenson and Arne Morris Sorenson, with either his business or home address listed, or no address at all.
- When asked by a senator if he believed China was responsible for the breach, Sorenson replied, "The short answer is we don't know. I feel quite inadequate about even drawing inferences from the data we've obtained......We have shared everything with the FBI including IP addresses used and malware used so they can do that kind of investigation."
- Starwood and Marriott had different ways of handling passport data collection as required by certain countries. Marriott has chosen to collect the data at the property level, where Starwood chose to collect the data and centralize it, where it was supposed to be encrypted. Sorenson said that there are pros and cons to both approaches. Storing data at the property level requires every property to have an appropriate level of security for that data. He said that Marriott is looking very hard at how not to centralize the data collection going forward.
- Marriott believes the number of passport numbers stolen was approximately 19 million, which is lower than the 23 million earlier reported. The company thinks approximately 5 million of those passport numbers were stored unencrypted.
- Marriott has contracted with third-party service providers to track the data that was stolen. So far, none of the services has reported that any of the data has appeared on the internet or the dark web.
- Reservations data was obtained as recently as 2016. While Marriott can't be 100% sure, since it opens up reservations approximately a year in advance, it believes no future reservations data is compromised.
- When asked if the information for traveling companions was exposed, Sorenson replied that it was likely. He was asked if all traveling companions had been notified. He detailed Marriott's efforts, including a press release, a banner on the website and over 50 million e-mails sent to members in the Marriott database who had a valid e-mail address on file.
The video of the testimony is available on the Senate subcommittee's website. Additionally, Sorenson submitted written testimony prior to the hearing that is publicly available for review. The hearing was not marked by some of the antagonistic comments we've seen in other congressional hearings, and its tone was more collegial than combative. That being said, Sorenson was asked pointed questions about the effort to inform affected customers and how Marriott intends to prevent future data breaches. He was also asked by more than one senator how Marriott could be unaware of the security breach through the due diligence during the merger process with SPG. In response, Sorenson described various reviews that his company and contractors Marriott hired conducted of Starwood's data-storage procedure, as it considered buying Starwood.
Marriott was aware of a previous, much smaller data breach at the property level at Starwood, Sorenson said, but did not uncover any widespread irregularities in the company's reservation system.