By David Shepardson
WASHINGTON (Reuters) – Marriott International Inc Chief executive Arne Sorenson will testify before a U.S. Senate panel Thursday about a hacking incident it reported in December that exposed the records of up to 383 million customers in its Starwood hotels reservation system and 5.25 million passport numbers.
The Senate’s Permanent Subcommittee on Investigations is holding a hearing “to examine the causes and scope of private sector data breaches that expose the most sensitive information of millions of Americans.”
The hearing will also include Equifax Inc Chief Executive Mark Begor, who will discuss the company’s 2017 disclosure of the hacking of sensitive data of about 148 million people. That massive breach sparked calls for changes by Congress to the credit reporting agencies’ handling of data.
Marriott disclosed on Nov. 30 that it had discovered its Starwood hotels reservation database had been hacked over a four-year period in one of the largest breaches in history. At least five U.S. states and the UK’s Information Commissioner’s Office are investigating the attack.
A company spokeswoman confirmed Sorenson would testify but declined to comment further.
Marriott also said that it had completed an effort to phase out the Starwood reservations database that it acquired in September 2016 with its $13.6 billion purchase of Starwood. The hack began in 2014, a year before Marriott offered to buy Starwood.
The company initially said records of up to 500 million guests were involved and then revised its estimate to up to 383 million in January.
The hotel operator also said that some 25.55 million passport numbers were stolen in the attack on the Starwood Hotels reservation system, 5.25 million of which were stored in plain text. Another 8.6 million encrypted payment cards were also taken in the attack, it said.
The Senate panel will also hear from the Federal Trade Commission’s director of the Bureau of Consumer Protection and others “to focus on policies Congress could consider in order to help prevent future cyberattacks and data breaches.”
The committee also plans to release a report on Equifax “detailing the repeated failures over the years on the part of Equifax that led to the devastating breach in 2017.”
Marriott said last week that in the fourth quarter of 2018 it had incurred $28 million in expenses and recognised $25 million (19 million pounds) of insurance proceeds related to the data security incident.
(Reporting by David Shepardson; editing by Jonathan Oatis)