Marriott International is investigating a data breach involving the Starwood guest reservation database. Some no-good hacker managed to gain unauthorized access to the database, which had information relating to guest reservations for stays on or before September 10, 2018 at Starwood properties.
A wide range of hotel brands fall under Starwood and include the stylish W Hotels, the luxe St. Regis properties, business brands Sheraton Hotels & Resorts and Westin Hotels & Resorts, lifestyle properties like Element Hotels and Aloft Hotels and the list goes on—The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also part of the mix.
And the breach is pretty serious—one of the most widespread ever recorded. On September 8, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. They quickly engaged security experts to help determine what had happened. Marriott learned that there had been unauthorized access to the Starwood network since—yikes—2014. Now they’ve discovered an unauthorized party copied and encrypted information and, on November 19, Marriott was able to decrypt it.
The company has not finished finding duplicate information in the database, but believes it affects up to 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the data also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted, so there’s that.
Cathryn Culverhouse is a solicitor at the law firm DMH Stallard. She is an expert on data protection and GDPR regulations.
“This is clearly sensitive personal information from which individuals can easily be identified,” she said. “Such information getting into the hands of fraudsters could have severe consequences, especially in respect of identity or bank fraud.”
Marriott has informed law enforcement and has set up resources to keep guests informed of what’s going on and where to go if they have questions.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President and Chief Executive Officer. “We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Here’s what Marriott International has set up to get you the info you need:
Dedicated website and call center
We have established a dedicated website and call center to answer questions you may have. There is also a FAQ section on this site. The call center is open seven days a week and is available in multiple languages.
Marriott will begin sending emails on a rolling basis starting today to affected guests whose email addresses are in the Starwood guest reservation database.
Free WebWatcher enrollment
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert if evidence of the consumer’s personal information is found. Guests from the US, Canada and the UK who activate WebWatcher will also be provided fraud consultation services and reimbursement coverage for free. Activate WebWatcher here and click on your country, if listed, for enrolment.
Remember it’s a big, bad world out there sometimes so do everything you can to keep your info safe.