Marriott International CEO Arne Sorenson
Marriott International CEO Arne Sorenson

Marriott International CEO Arne Sorenson said the company inadvertently “bought trouble” when it acquired Starwood Hotels & Resorts in 2016 as its old reservations system may have been compromised at the time.

Speaking before the US Senate’s Homeland Security & Government Affairs Permanent Subcommittee on Investigations late last week, Sorenson said that one of its internal security tools found that an unauthorised party had been copying and encrypting customer data since 2014. This was despite initial scans of the database prior to the Marriott acquisition showing no evidence of a breach.

When questioned by Senate panel members, Sorenson said he didn’t believe the origin of the breach was located in or linked to China or Chinese sources.

However, the Marriott boss said he was highly confident that far fewer than the previously suggested 383 million customer records had actually been compromised. The latest numbers provided by Marriott revealed that around 18.5 million encrypted passport numbers, 5.35 million unencrypted passport numbers and 385,000 unexpired credit card numbers had been accessed but may not have been copied or used elsewhere.

Marriott said the breach stemmed from a routine check on the database from IBM Guardium – a product from the company’s external IT company Accenture – which when followed up revealed a Remote Access Trojan. Additional investigation resources outlined that a human operator was interfering with the database.

“Until our investigation of the incident that was announced on Nov 30, we were unaware that the Starwood Guest Reservation database had been infiltrated by an attacker,” Sorenson said.

Sorenson detailed the lengths Marriott was now going to ensure no repeats of the event could ever take place, saying no expense was being spared to fortify the company’s systems network-wide.

“We are focused on identity access management, which means a broader deployment of two-factor authentication across our systems, as well as network segmentation, which means isolating the most valuable data so that it becomes more difficult for attackers to access the systems and for malware to spread through the environment,” he said.