Marriott data breach hits 5.2 million people: What to do now

Marriott data breach
(Image credit: Jer123/Shutterstock)

Marriott International today (March 31) disclosed a data breach affecting about 5.2 million former hotel guests, whose contact information and other personal data appear to have been compromised.

The possibly stolen data included guests' names, addresses, email addresses and phone numbers, as well as details of users' Marriott Bonvoy accounts and room preferences. 

But it did not include "payment card information, passport information, national IDs, or driver's license numbers" or "Marriott Bonvoy account passwords or PINs," according to the web page Marriott has posted about the incident

That somewhat limits the potential damage from the data theft, although spammers and robocallers may have fun with the contact information. 

Guests' "birthday day and month" were included in some instances, but an identity thief would probably need to know a targeted individual's year of birth as well to make that count. 

Marriott owns roughly 30 hotel and hospitality brands, including Sheraton, W, Westin, Ritz-Carlton, Le Meridien, Renaissance and Fairfield Inn as well as half a dozen Marriott brands. A full list is at the end of this story.

Marriott breach: What to do

Affected guests should have received emails from Marriott (specifically, from the address) about this already. If you're in doubt, there's a "self-service portal" where you can check if you're affected. 

You can also make a toll-free call to +1-800-598-9655 in the U.S. and Canada, 08003457018 in the U.K., 1800280257 in Australia, 0805540130 in France and 08006644414 in Germany. The rest of the world has to place international calls to +1-402-952-5356.

The emails should include a code with which you can sign up for a free year of Experian IdentityWorks identity-theft protection. It couldn't hurt, though you can also look over our reviews of the best identity-theft protection services if you want to spring for better protection.

Six weeks of access

Marriott didn't indicate how old the compromised data might be, so we can't yet give you a timeframe of when affected guests might have stayed at a Marriott-managed property. 

The company said the intrusion started in mid-January after someone misused the login credentials of two employees of a "franchise property," i.e. a Marriott-branded hotel not directly owned by Marriott International. 

The breach was discovered at the end of February, giving the intruder(s) a good six weeks to roam Marriott's systems.

Not Marriott's first rodeo

In late 2018, Marriott reported a much bigger, even more serious data breach involving the records of some 500 million people who had stayed at former Starwood Hotels brands

That intrusion began in 2014, two years before Marriott International bought the Starwood properties, and included guests' passport numbers and credit-card numbers. 

Because none of the stolen information has been seen in criminal marketplaces, some cybercrime experts now think the 2014-2018 breach was carried out by Chinese state-sponsored hackers looking for information on the movements of Western politicians, corporate executives, diplomats and spies.

Marriott International owns and/or manages "30 brands and 7,000+ properties across 131 countries and territories," according to the company's website

Its hotel brands include Ritz-Carlton, St. Regis, W, Sheraton, Edition, Delta, Rennaissance, Gaylord, Luxury Collection, Le Meridien, Westin, Four Points, SpringHill Suites, Protea, Fairfield Inn and Suites, AC, Aloft, Moxy, Residence Inn, Element, TownePlace Suites, Autograph Collection, Design Hotels and Tribute Portfolio, as well as Homes & Villas by Marriott International, Marriott Executive Apartments, Courtyard by Marriott, Marriott Vacation Club, Marriott Hotels and JW Marriott.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.