30 NOVEMBER 2018 10:43 AM  HotelNewsNow by Sean McCracken
smccracken@hotelnewsnow.com
@HNN_Sean

                500 million guests have been affected by a four-year-long data breach

                of Starwood Hotels & Resorts Worldwide’s legacy reservation systems.

REPORT FROM THE U.S.—A wide array of sensitive data—including names, addresses, dates of birth, passport numbers and credit card information—were copied by an unauthorized party from Starwood Hotels & Resorts Worldwide’s reservation system over a four-year span, according to Marriott International officials.

美國報導 – 根據萬豪酒店集團的官方說法，一連串敏感的客戶個資 – 包括姓名，地址，出生日期，護照號碼和信用卡信息 – 被未經授權的一方從喜達屋酒店集團的預訂系統中讀取複製了四年之久。
Affecting up to 500 million guests, the data breach is “one of the largest data breaches ever disclosed, measured by the number of individuals potentially affected,” The Wall Street Journal reports. It is eclipsed only by a 2013 breach of Yahoo that had an impact on nearly 3 billion people and another Yahoo hack in 2014 that affected roughly 500 million. That would make the breach of Starwood’s systems the largest in the history of the hotel industry.

據《 華爾街日報》報導，以受影響(直接，間接及潛在影響)的人數來計算，個資外洩事件影響高達5億名顧客，是「有史以來披露的最大個資外洩事件之一」 。雖然此事件不及2013年美國雅虎發生近30億使用者和2014年約5億使用者的個資外洩衝擊，但喜達屋集團訂房系統遭受個資外洩衝擊之情事，會是全球旅館業史上最大宗的案例。

Reuters reports the Office of the New York Attorney General has opened an investigation into the breach.
據路透社報導，紐約總檢察長辦公室已對此個資外洩事件展開調查。
In a news release issued Friday morning, Marriott officials noted they first uncovered the unauthorized access to the legacy Starwood guest reservation data in the U.S. in early September, and further investigation revealed on 19 November the contents of the copied data.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” the release notes.

萬豪酒店新聞稿指出，「個資遭外洩的顧客人數約有3.27億，而個資部份包括姓名，郵寄地址，電話號碼，電子郵件地址，護照號碼，喜達屋優先客戶的帳戶資料，出生日期，性別，抵達和離開資訊，預訂日期和聯絡方式偏好。」

“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

「對於其中一部份的顧客來說，這些資料還包括用來付款的信用卡卡號和有效日期，而信用卡卡號是使用高階加密標準（AES-128）所加密的。若要解開被加密的信用卡卡號碼需要兩個組件，但萬豪集團現在無法排除這兩個組件都被竊取的可能性。至於其餘顧客的資料，則僅止於姓名，或有的還包括其他個資，如郵寄地址，電子郵件地址或其他資訊。」
Marriott has started a dedicated website and call center for concerned guests and is offering a free year-long subscription to a service that monitors if a guest’s personal information is offered for sale online.

萬豪酒店集團為此已開始設立專責的網站和客服中心，並提供免費一年的監控服務，該項服務是監控顧客的個資是否遭到線上銷售。
Marriott completed its acquisition of Starwood in September 2016, meaning the breach was ongoing for roughly two years before that deal closed.
萬豪酒店集團於2016年9月完成了對喜達屋酒店集團的併購案，這意味著此併購案在終局完成前大約持續進行了兩年。

Marriott officials did not respond to a request for interview, nor did they specify if the discovery of the breach was related to the monthslong integration of back-end systems at legacy Starwood hotels and brands to Marriott’s systems.

萬豪集團並未回應採訪請求，也沒有說明是否發現個資外洩與喜達屋集團和萬豪集團後端系統之間長達數月的整合有關。
The integration of systems and sales teams has been an ongoing talking point during quarterly earnings calls for companies with legacy Starwood properties, mostly related to how the shifts have negatively impacted performance at some properties.

在每季的萬豪法人說明會中，對於喜達屋品牌酒店的業主而言，營運系統和銷售團隊間的整合一直是個持續被關注的課題，這主要在於此項移轉會如何對某些營運據點的業績產生負面影響有關。
In a statement included in the news release, Marriott President and CEO Arne Sorenson noted officials “deeply regret this incident happened.”

在記者會上所發表的一份聲明中，萬豪總裁兼首席執行長阿恩 ‧ 索倫森(Arne Sorenson)正式表示「對此一事件的發生深表遺憾」。
“We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center,” he said. “We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

索倫森表示，「我們正努力確保我們的顧客能透過專責的網站和客服中心獲得其個人資料相關問題的解答。我們還將繼續配合執法單位的調查，並與領先的資安專家合作與改進。最後，我們正投入必要的資源來逐步汰除舊有的喜達屋集團系統，並加速我們的資訊安全持續強化。」

An ‘eye-opening’ moment (「令人瞠目結舌」的時刻 )

酒店安全諮詢公司Independent Security Evaluators 的執行合夥人暨酒店業安全問題的常規發言人 Ted Harrington 表示，在此重大個資外洩案爆發後，要批判像萬豪集團這樣的大公司算是很容易，他稱此案例為「令人瞠目結舌」，然而也要以此案例做為所有酒店業者重要的前車之鑑。

“If the world’s largest hotel company, even with all of its resources, can suffer such a massive and extended breach like this, then the rest of the industry should recognize the severity of the challenge ahead of us,” he said via email. “Security is not just an IT issue; it is a critical, board-level priority and should be treated and resourced accordingly. (Chief information security officers) should be empowered with suitable budget, headcount, and should report directly to the CEO, rather than another member of the C-suite—such as (chief information officer or chief technology officer)—which is commonly the case in the hospitality industry.”

Harrington以電子郵件接著說，「如果世界最大的酒店集團，就算擁有一切資源，還會遭受如此巨大且長期的個資外洩，那麼業界其他業者也應體認到所面臨的是更嚴峻的挑戰。資訊安全不僅僅是一個IT問題；它是一個至關重大的，董事會級別的優先事項，應當有相應的對待和資源。(資訊安全長) 應該授權以適當的預算與人員編制，並應直接向公司的執行長報告，而非只是高層管理人員的成員之一 (如資訊長或科技長)，因這樣的情況常見於酒店業 。」

Harrington’s suggestion for property-level hoteliers is to “coordinate with the brand’s incident response team to determine what steps you can take to support the recovery effort.”
Harrington 對於酒店業主的建議是「與酒店品牌的危機處置團隊協同合作，以確認可以採取哪些措施來處理危機復原工作。」

“Most importantly, coordinate with the brand about what to tell guests; they will be concerned and likely won’t be mollified by platitudes and generalities, but likely will appreciate candid responses about the situation and what is being done to protect them,” he said.

Harrington 接著說，「最重要的是，與酒店品牌協調出恰當的對外說明; 因顧客確實會在意，並且可能不會被陳腔濫調和籠統的說法緩解掉焦慮的情緒，但顧客很可能會對於坦白說明事件狀況以及告知目前採取的保護措施表達謝意。」

He said if there’s a silver lining to the breach, it’s that it underscores the importance of security.
他說，如果個資外洩事件會有助益的層面，那就是它強調了資訊安全的重要性。

“Hopefully this event can result in changes in how leadership perceives security: as a mission to be pursued, rather than a cost to be minimized,” Harrington said. “Hopefully this event can result in security leaders becoming more empowered with more suitable resources and better-aligned executive buy-in.”

Harrington表示，「希望此一事件能夠改變酒店領導階層看待資安的應有態度：要當作是一項理應追求的任務，而非降低成本的標的。也希望同時讓資安高層人員更能獲得合適的資源和引進更好的行政團隊。」

• • For more on data breaches in the hotel industry, read HNN’s data breach special report.

(有關酒店業個資外洩的更多資料，請閱讀 HNN的個資外洩特別報告。)

Investor sentiment (投資者觀感)
In a note to investors, Mike Bellisario, VP and equity research senior analyst at Baird, said the news could hurt Marriott in the eyes of Wall Street.

貝雅資本公司(Baird)副總裁兼股票研究高級分析師 Mike Bellisario 在一份致投資者的報告書中表示，此個資外洩的消息可能會損及萬豪集團在美國股市的評價。

“We believe investor sentiment toward Marriott could remain somewhat negative in the near term until this security incident is fully resolved and its true financial impact is learned,” he wrote. “Also, we’ll be keeping a close eye on customer demand/loyalty, which could slip a bit in the near term, in our opinion.”

Bellisario said the breach will fuel “customer concerns about merger-related hiccups, particularly surrounding the loyalty program integration.”

Bellisario接著表示，這一個資外洩事件將加深「顧客對於集團整併的相關問題，尤其是整合會員忠誠計劃的部份。」
“But we believe Marriott will continue to take the necessary steps to protect its biggest asset—its customers and their loyalty—and to ensure a successful merger integration process,” he continued. “However, as a result of these recent Marriott-specific headwinds, which are likely to pass over time, we believe Hilton and Hyatt (from a stock perspective) will be the relative winners.”

Bellisario 繼續說道，「但我們相信萬豪集團將持續採取必要時措施來保護其最大的資產 – 顧客及其忠誠度 – 並確保整併過程成功順利。然而，由於近期聚焦在萬豪集團的阻力可能將隨著時間一長而消逝，我們相信希爾頓和凱悅(從股票的角度來看)近期會是相對的贏家。」
As of press time, Marriott’s stock was trading at $115.71 a share, down 5% since markets opened.

至截稿為止，萬豪股價以每股115.71美元作收，自美國股市週五開盤以來下跌5％。