WASHINGTON (Reuters) – Marriott International Inc Chief Executive Arne Sorenson apologized on Thursday before a U.S. Senate panel for a massive data breach involving up to 383 million guests in its Starwood hotels reservation system and vowed to protect against future attacks.
Sorenson told the Senate Permanent Subcommittee on Investigations that the hacking, which occurred over a four-year period, that he did not know if China was behind the hacking attempt but said it was fully cooperating with the FBI, which is trying to determine who was responsible.
“The short answer is we don’t know,” Sorenson said. “We’ve simply been focused on making sure the door is closed.”
Reuters reported in December that hackers left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter. Secretary of State Mike Pompeo suggested in December China was behind the attack.
He said the company first became aware of a security issue in September 2018, notified the FBI in October and disclosed the issue publicly on Nov. 30. Sorenson prompted Marriott to accelerate the retirement of the Starwood reservation system, a step that was completed in December.
Committee Chairman Rob Portman noted that Starwood said it had discovered malware in November 2015 – before Marriott purchased it – on some systems designed to steal credit card information but Starwood said at the time it “did not impact its guest reservation database.”
Sorenson said there was evidence of an unauthorized party on the Starwood network since July 2014 but “our investigators had found no evidence the attacker had accessed guest data” until mid-November 2018.
Sorenson said since October Marriott has provided the FBI with “several updates and ready access to forensic findings and information to support their investigation.”
Sorenson said the company has not received any substantiated claims of loss from fraud attributable to the incident and had increased security by adding “protection tools” to determine suspicious behavior, as well as two-factor authentication and keeping valuable more secure.
Marriott disclosed on Nov. 30 it had discovered its Starwood hotels reservation database had been hacked over a four-year period in one of the largest breaches in history. At least five U.S. states and the United Kingdom’s Information Commissioner’s Office are investigating the attack.
Marriott offered to buy Starwood in 2015, a year before the hack started, and closed the $13.6 billion deal in September 2016.
Senator Tom Carper, the top Democrat on the panel, said the “incident also raises questions about the degree to which cybersecurity concerns do and should play a role in merger and acquisition decisions.”
Carper said Marriott acquired a company with “serious cybersecurity challenges and had actually been attacked before” but chose to initially leave Starwood’s security system in place after acquiring it.
Marriott initially said records of up to 500 million guests were involved and in January revised its estimate to up to 383 million.
Reporting by David Shepardson; Editing by Bill Trott