UPDATED Jan. 7, 2019 with revisions to number of persons and data impacted by data breach.
Marriott Hotels just revealed that “up to approximately 500 million people” who have made reservations at its Starwood properties have been impacted by a massive data breach of the company’s guest reservation database.
How Bad Is It?
For 327 million of these guests, the information accessed includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account info, date of birth, gender, arrival and departure information, reservation data and communication preferences.
That’s a treasure trove of information for criminals and spammers, but it gets worse. For some, the information accessed includes payment card numbers, as well as the expiration dates. And while the card numbers were encrypted, “Marriott has not been able to rule out the possibility” that the components needed to decrypt the payment card numbers were not taken.
Starwood says that for other guests, the information taken may be limited to the guest name, email address and mailing address.
Fortunately, hotels don't ask for Social Security or Social Insurance numbers as forms of identification. But they do take passport numbers, which might let an identity thief create a pretty convincing passport to pose as you if he or she also had your name and place of birth.
MORE: What to Do After a Data Breach: A Step-by-Step Guide
What Hotels are Included?
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program. Starwood branded timeshare properties are also included.
What to Do
Marriott has established a call center to answer questions guests may have about the incident, and it has begun sending emails on a rolling basis to affected guests.
Marriott is also providing guests free access to WebWatcher for one year, a service that monitors sites where personal info is shared, to residents of the United States, Canada and the United Kingdom. The service generates an alert when there’s evidence that your personal info has been found.
You should also change your SPG account password and change your password. In addition, you should monitor you payment card (debit or credit) for any unauthorized activity.
Tom’s Guide offers a complete guide of what to do after a data breach.
What Happened?
The unauthorized access reportedly took place on or before September 10, 2018. Marriott received an alert on Sept. 8 from an internal security tool regarding an attempt to access the Starwood guest reservation database.
During the course of its investigation, Marriott learned that there had been “unauthorized access to the Starwood network since 2014.” For those scoring at home, that’s four years ago, some two years before Marriott purchased the Starwood chain.
UPDATE: On Jan. 4, 2019, Marriott provided revised numbers on the data breach.
"Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident," the company said in a press release. "In many instances, there appear to be multiple records for the same guest."
In addition, "approximately 5.25 million unencrypted passport numbers" and "approximately 20.3 million encrypted passport numbers" were part of the breach, as well as "8.6 million encrypted payment cards."
However, "Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers."
As before, anyone who has stayed at a Starwood property since 2014 should review their credit reports. But because the prevailing hypothesis is that this data was stolen by Chinese government intelligence operatives as part of a counterespionage operation, the average person might not need to worry too much.
Protect Yourself - Best Identity Protection Services
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
