5亿条数据泄露！万豪旗下喜达屋数据库被黑客入侵

11月30日晚间消息，万豪国际酒店集团(Marriott International)刚刚宣布，旗下喜达屋酒店(Starwood Hotel)的一个顾客预订数据库被黑客入侵，可能有约5亿顾客的信息泄露。

该消息公布后，万豪国际酒店股价在今日盘前交易中一度下跌逾5%。

万豪国际酒店称，调查结果显示，有一未授权方复制并加密了这些数据。而且，自2014年就开始了对喜达屋酒店网络进行未授权访问。

目前，万豪国际酒店已采取了补救措施，但并未公布进一步的信息。

万豪国际酒店称，这些可能被泄露的信息包括顾客的姓名、通信地址、电话号码、电子邮箱、护照号码、喜达屋VIP客户信息、出生日期、性别和其他一些个人信息。

对于部分客户，可能被泄露的信息还包括支付卡号码和有效日期，但这些数据是加密的。

万豪国际酒店表示，已将该事件报告给执法部门和监管部门，积极配合其调查。

以下是全文信息：

Hackers have had access to the Starwood guest reservation database since 2014.

Marriott said forensic experts managed to decrypt the data attackers stole from the Starwood guest reservation database earlier this month, on November 19.

They said the attackers exfiltrated information on up to approximately 500 million guests who made a reservation at a Starwood property.

The Starwood hotel chain, which Marriott acquired in 2016, includes other hotel brands, such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Investigators said that for 327 million of the Starwood guests, the information that attackers stole included a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

For some of these guests, payment card data was also stolen, but Marriott did not say for how many.

"For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)," the hotel said today in an SEC filing.

"There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken," the hotel chain added.

For the rest, up to 500 million, the data only included a name, and sometimes other info such as mailing address, email address, or other information.

"We deeply regret this incident happened," said Arne Sorenson, Marriott's President and Chief Executive Officer. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

"Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network," Sorenson added.

This is the third breach affecting Marriott's Starwood chain after the infections with Point-of-Sale (PoS) malware disclosed in 2015 and again in 2016.