U.S. Sens. Jerry Moran (R-KS) and Roger Wicker (R-MS) want to know what’s behind the Marriott International cybersecurity data breach that has affected roughly 500 million people.
Marriott International on Nov. 30 announced measures were taken to investigate and address a data security incident involving its Starwood guest reservation database. The investigation found on Nov. 19 that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before Sept. 10, according to the company.
“We seek clarification regarding details of the incident,” wrote U.S. Sen. John Thune (R-SD), chairman of the U.S. Senate Commerce, Science, and Transportation Committee, who was joined by Sen. Moran, chairman of the Senate Commerce Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee, and Sen. Wicker, chairman of the Senate Commerce Communications, Technology, Innovation, and the Internet Subcommittee, in signing a Dec. 3 letter sent to Arne Sorenson, president and CEO of Marriott International.
The senators pointed out in their letter that of the estimated 500 million consumers impacted by the breach, some 327 million of them reportedly had a combination of customer data exposed, including personally identifiable information, passport numbers and Starwood Preferred Guest account information, among other facts.
Additionally, other sensitive information was revealed, such as credit card numbers, “but Marriott stated that this specific information was encrypted using the Advanced Encryption Standard (AES-128), which requires two individual components to decrypt the information,” the senators wrote.
However, they noted that Marriott also clarified that it hasn’t yet “ruled out that these decryption keys were also taken as a result of the breach.”
In their letter, Sens. Thune, Wicker, and Moran asked several questions of Sorenson related to details such as when the breach began, what consumer information was compromised, and investigative efforts Marriott International has taken since detection.
“Protecting consumers remains a key priority of the Senate Committee on Commerce, Science, and Transportation,” wrote the lawmakers, referring to the committee’s and its subcommittees’ jurisdiction over consumer protection and cybersecurity.
The members want Sorenson to answer their questions “as soon as possible,” but no later than Dec. 17, according to their letter.