Marriott, Hilton Hit by Breach to Client E-mail Information

Marriott International Inc. and Hilton Worldwide are among the growing list of companies affected by a data breach last week that provided unauthorized access to customer names and e-mail addresses.

The affected files didn’t include customer financial information or physical addresses, the hotel chains said in separate statements today. The breach occurred at Epsilon, a Dallas-based provider of e-mail marketing services.

Marriott, the largest U.S. hotel chain by revenue, and Hilton, owned by Blackstone Group LP (BX), join companies including Walgreen Co. (WAG) and Citigroup Inc. (C) as victims of the breach. Epsilon said it’s conducting an investigation into the incidents, which occurred March 30.

“Epsilon is a major player in this area -- one of the largest,” Mikko Hypponen, a manager at Helsinki, Finland-based F-Secure OYJ’s anti-virus division, said in an interview. “When you have such a large company, there’s a lot of data lost.”

JPMorgan Chase & Co. (JPM), the second-biggest U.S. bank by assets, and Kroger Co. (KR), the grocer, began the warnings on April 1. Capital One Financial Corp. (COF) and TiVo Inc. (TIVO) were also affected. Companies and law enforcement are also investigating the incidents.

‘Thorough Investigation’

The nonprofit College Board, which hosts a website that posts SAT scores and helps high school students prepare for college, also has been affected. First and last names and e-mail addresses of some customers were exposed, said Peter Kauffman, a spokesman at the New York-based organization.

“We are conducting a thorough investigation into this matter and will continue to update those who may have been affected,” Kauffmann said in an e-mailed statement. [bn:WBTKR=BARC:US]

Barclays Plc’s [] U.S. payments business, Barclaycard U.S., notified customers April 3 that some names and e-mails were compromised and is working with law enforcement authorities, said Kevin Sullivan, a spokesman for Barclays, which is Britain’s third-biggest bank.

Walt Disney Co. (DIS)’s travel subsidiary sent e-mails warning customers that it had also been exposed to the breach.

Such e-mail breaches usually involve people who want to sell lists of names to spammers, who can then either spam the names gathered, or use the contact information to impersonate a sender and bypass e-mail filters, Hypponen said.

‘Sending Spam’

“Some of these people will look like they’re sending spam when they aren’t,” he said.

There isn’t much hackers can do with e-mails beyond using the information to send additional messages, said Bruce Schneier, chief security technology officer at BT Group Plc.

“This is mild,” he said. “They just got e-mail addresses. It’s like car crashes. It happens all the time.”

The situation “will not be a big deal from a legal perspective or a financial perspective” if it remains limited to e-mails and doesn’t involve credit card data, said Robert Scott, managing partner at Southlake, Texas-based law firm Scott & Scott LLP, which focuses on privacy security and regulation issues.

Marriot, based in Bethesda, Maryland, fell 17 cents to $35.24 today in New York Stock Exchange composite trading. Hilton Worldwide is based in McLean, Virginia.

To contact the reporter on this story: Danielle Kucera in New York at dkucera6@bloomberg.net;

Chris Burritt in Greensboro at cburritt@bloomberg.net.

To contact the editor responsible for this story: Tom Giles at tgiles5@bloomberg.net.

Bloomberg reserves the right to edit or remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.