It was announced early this morning that up to, or over, 500 million consumers had their personal information compromised in a data breach of Marriott-owned Starwood hotels, which includes high-end properties such as Westin, W, Sheraton, St. Regis, and Aloft. Here’s what we know about the Marriott Data Breach:
Consumer Reports tells us that the breach includes the customer’s name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
“This is a massive breach—the number of affected consumers is bigger than the entire population of the U.S.—and it involves lots of sensitive personal information, including passport numbers and travel history,” says Dan Guido, founder of the security firm Trail of Bits.
The compromised data also includes payment card information and card expiration dates. The company reported that the payment information was encrypted but the company could not rule out the possibility that both of the elements needed to break the encryption were also taken in the breach.
The Marriott security breach involves the Starwood customer guest reservation database dating back to early September, and possibly as far back as 2014. The breach does not affect guests at Marriott hotels because that hotel’s information was stored in a different database.
The Marriott brands affected in the breach included W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels as well as Starwood branded timeshare properties.
Consumers Being Contacted
Starting today, Marriott has begun contacting affected customers by e-mail but hasn’t finished that process.
The company also established a dedicated website and call center to answer consumer questions about the incident as well as updating the Frequently Asked Questions section of the chain’s website. The call center will be open seven days a week and assistance is available in multiple languages.
Marriott is also providing guests with the opportunity to enroll in a WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.
Consumers from the United States who activate WebWatcher will also be provided with free fraud consultation services and reimbursement coverage for free. To activate WebWatcher, go to info.starwoodhotels.com. The filing noted that WebWatcher or similar products are not available in all countries.
Passport Data at Risk
The Starwood breach involved a significant amount of personal information, although it doesn’t involve the same amount of financial data as, say, last year’s massive Equifax breach.
“Because the breach doesn’t include encrypted financial information, it might not be covered by a lot of state breach notification laws,” says Justin Brookman, director of Director, Consumer Privacy and Technology Policy for Consumer Reports. “But there’s still private information in there that you might not want the world to know about, and could be used to potentially embarrass or blackmail someone.”
The wild card seems to be the inclusion of passport information for some hotel customers. Passport information is particularly valuable to anyone trying to steal a consumer’s identity. Like a social security number, it’s considered by most financial institutions as information that can definitively identify a person, and it can’t be easily changed.
What Consumers Can Do
Here are some steps you can take to protect yourself:
- Check with Marriott to determine if your information may have been compromised including signing up for Web Watcher.
- Monitor your own financial information on a regular basis, including your credit card bills, bank statements, and your credit report.
- Consider a credit freeze to make it harder for cybercriminals to apply for loans, credit cards, and wireless phones using your personal information.
- Be wary of spear phishing scams. The very specific data included in this breach–including travel history–can be used by cybercriminals to lull victims into a scam. So be aware of e-mails and callers using this kind of information.
- Going forward be as stingy as possible with your personal information. Consider the risk-reward before you sign up for affinity programs like hotel rewards programs. And whenever possbile decline to offer personal information. When that information is required, using burner e-mail and phone information, or even your work accounts and numbers, rather than your personal information.
Have you been affected by the Marriott Data Breach? Comment below and let us know your thoughts. Want to keep them private? Shoot us an email to Outreach@