Around 500 million customer records may have been breached in a hack on the Starwood division of the Marriott International hotel chain.
The chain said that it discovered in September that an attacker had had access to Starwood's network since 2014, and had copied and encrypted customer data.
Marriott International said it discovered an attempted hack on 8th September, and that by 19th November, its internal investigation realised that the attacks had been directed against the the Starwood guest reservation database.
The company says it is notifying customers whose records were in the database. The Starwood network includes Sheraton, Four Points by Sheraton and W Hotels.
Security company Sophos has warned that the hack has potentially put customer's passport data at risk.
John Shier, senior security advisor, Sophos, commented on the incident: "The potential fallout from the Marriott's Starwood data breach should be alarming to anyone who has stayed at a Starwood property in the last 4 years. Not only are guests at risk for opportunistic phishing attacks, but targeted phishing emails are almost certain, as well as phone scams and potential financial fraud. Unlike previous breaches, this attack also included passport numbers for some individuals who are now at increased risk for identity theft. At this point, however, it's unclear what level of exposure each individual victim has been subject to. Until then, all potential victims should assume the worst and take all necessary precautions to protect themselves from all manner of scams."
It also noted that Marriott's attempts to support customers may also cause more issues. Marriott is offering victims in the USA, UK and Canada, a free one-year subscription to ‘Web Watcher' a service that monitors internet sites where personal information is shared, presumably to help customers detect if their data is on the black market. However, Sophos said that there is also a spyware of the same name, and users could potentially download the spyware by mistake.
Sophos instead recommends that people who think their data may be at risk be on the lookout for spearphishing emails that use their personal details, monitor financial accounts for any unexpected transactions, and change their passwords for Starwood and any related accounts, or accounts that reuse the same password as their Starwood password.