Marriott’s CEO Apologized Before the Senate for the Data Breach

Mar 7, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Marriott’s CEO, Arne Sorenson, appeared in front of the US Senate today, testifying in front of the Permanent Subcommittee on Investigations about the 2018 data breach in which personal data from hundreds of millions of user profiles was hacked.

Less than two minutes into his opening statement, Sorenson — the head of the world’s largest hotel chain — said he was sorry: “As a company that prides itself on taking care of people, we recognize the gravity of this criminal attack on the Starwood guest reservation database and our responsibility for protecting data concerning our guests.  To all of our guests, I sincerely apologize.”

After his opening statement, Sorenson was asked questions by a number of senators on the committee. Here is a summary of his answers, giving us some more insight into the data breach:

  • On September 7th, an alert was delivered by a cybersecurity tool. Marriott was notified, as was a third-party party vendor that handled some technical aspects of the Starwood reservation system.
  • The process to ascertain what data was compromised began immediately. However, it was not until November 19th that Marriott discovered customer data had been stolen.
  • When the company learned of the breach, it immediately accelerated the retirement of the Starwood reservations and operations systems.
  • Sorenson said that he believes the 11 days between November 19th and when Marriott publicly disclosed the breach on November 30th was an appropriate period of time, in order to provide customers concrete and useful information and to deliver something that Marriott anticipated they would need and want.
  • Sorenson used himself as an example of how customers may have been in the Starwood reservations database under more than one entry. He stated that he was listed in the database as Arne Sorenson, Arne M. Sorenson and Arne Morris Sorenson, with either his business or home address listed, or no address at all.
  • When asked by a senator if he believed China was responsible for the breach, Sorenson replied, “The short answer is we don’t know. I feel quite inadequate about even drawing inferences from the data we’ve obtained……We have shared everything with the FBI including IP addresses used and malware used so they can do that kind of investigation.”
  • Starwood and Marriott had different ways of handling passport data collection as required by certain countries.  Marriott has chosen to collect the data at the property level, where Starwood chose to collect the data and centralize it, where it was supposed to be encrypted. Sorenson said that there are pros and cons to both approaches.  Storing data at the property level requires every property to have an appropriate level of security for that data. He said that Marriott is looking very hard at how not to centralize the data collection going forward.
  • Marriott believes the number of passport numbers stolen was approximately 19 million, which is lower than the 23 million earlier reported. The company thinks approximately 5 million of those passport numbers were stored unencrypted.
  • Marriott has contracted with third-party service providers to track the data that was stolen.  So far, none of the services has reported that any of the data has appeared on the internet or the dark web.
  • Reservations data was obtained as recently as 2016.  While Marriott can’t be 100% sure, since it opens up reservations approximately a year in advance, it believes no future reservations data is compromised.
  • When asked if the information for traveling companions was exposed, Sorenson replied that it was likely. He was asked if all traveling companions had been notified. He detailed Marriott’s efforts, including a press release, a banner on the website and over 50 million e-mails sent to members in the Marriott database who had a valid e-mail address on file.

The video of the testimony is available on the Senate subcommittee’s website. Additionally, Sorenson submitted written testimony prior to the hearing that is publicly available for review. The hearing was not marked by some of the antagonistic comments we’ve seen in other congressional hearings, and its tone was more collegial than combative. That being said, Sorenson was asked pointed questions about the effort to inform affected customers and how Marriott intends to prevent future data breaches. He was also asked by more than one senator how Marriott could be unaware of the security breach through the due diligence during the merger process with SPG. In response, Sorenson described various reviews that his company and contractors Marriott hired conducted of Starwood’s data-storage procedure, as it considered buying Starwood.

Marriott was aware of a previous, much smaller data breach at the property level at Starwood, Sorenson said, but did not uncover any widespread irregularities in the company’s reservation system.

Delta SkyMiles® Platinum American Express Card

Earn 90,000 bonus miles and 10,000 Medallion® Qualification Miles (MQMs) after you spend $3,000 in purchases on your new card in the first three months of card membership. Offer ends 11/10/2021.

With Status Boost™, earn 10,000 Medallion Qualification Miles (MQMs) after you spend $25,000 in purchases on your Card in a calendar year, up to two times per year getting you closer to Medallion Status. Earn 3X Miles on Delta purchases and purchases made directly with hotels, 2X Miles at restaurants and at U.S. supermarkets and earn 1X Mile on all other eligible purchases. Terms Apply.

Apply Now
More Things to Know
  • Limited Time Offer: Earn 90,000 Bonus Miles and 10,000 Medallion® Qualification Miles (MQMs) after you spend $3,000 in purchases on your new Card in your first 3 months. Offer expires 11/10/2021.
  • Earn up to 20,000 Medallion® Qualification Miles (MQMs) with Status Boost® per year. After you spend $25,000 in purchases on your Card in a calendar year, you can earn 10,000 MQMs two times per year, getting you closer to Medallion® Status. MQMs are used to determine Medallion® Status and are different than miles you earn toward flights.
  • Earn 3X Miles on Delta purchases and purchases made directly with hotels.
  • Earn 2X Miles at restaurants worldwide, including takeout and delivery and at U.S. supermarkets.
  • Earn 1X Miles on all other eligible purchases.
  • Receive a Domestic Main Cabin round-trip companion certificate each year upon renewal of your Card. *Payment of the government imposed taxes and fees of no more than $75 for roundtrip domestic flights (for itineraries with up to four flight segments) is required. Baggage charges and other restrictions apply. See terms and conditions for details.
  • Enjoy your first checked bag free on Delta flights.
  • Fee Credit for Global Entry or TSA Pre✓®.
  • Enjoy an exclusive rate of $39 per person per visit to enter the Delta Sky Club® for you and up to two guests when traveling on a Delta flight.
  • No Foreign Transaction Fees.
  • $250 Annual Fee.
  • Terms Apply.
  • See Rates & Fees
Regular APR
15.74%-24.74% Variable
Annual Fee
$250
Balance Transfer Fee
N/A
Recommended Credit
Excellent/Good
Terms and restrictions apply. See rates & fees.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.