The Marriott data breach

Share this page

Marriott International says that a breach of its Starwood guest reservation database exposed the personal information of up to 500 million people. If your information was exposed, there are steps you can take to help guard against its misuse.

According to Marriott, the hackers accessed people’s names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information. For some, they also stole payment card numbers and expiration dates. Marriott says the payment card numbers were encrypted, but it does not yet know if the hackers also stole the information needed to decrypt them.

The hotel chain says the breach began in 2014 and anyone who made a reservation at a Starwood property on or before September 10, 2018 could be affected. Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, and other hotel and timeshare properties.

The company set up an informational website, https://answers.kroll.com, and a call center, 877-273-9481, to answer questions. It says affected customers also can sign up for a year of free services that will monitor websites that criminals use to share people’s personal information. Marriott says the service will alert customers if their information shows up on the websites, and will also include fraud loss reimbursement and other services.

If your information was exposed, take advantage of the free monitoring service, and consider taking these additional steps:

  • Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could signal identity theft. Visit IdentityTheft.gov to find out what to do.
  • Review your payment card statements carefully. Look for credit or debit card charges you don’t recognize. If you find fraudulent charges, contact your credit card company or bank right away, report the fraud, and request a new payment card number.
  • Place a fraud alert on your credit files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you. A fraud alert is free and lasts a year.
  • Consider placing a free credit freeze on your credit reports. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that it won’t stop a thief from making charges to your existing accounts.

Marriott says it will send some customers emails with a link to its informational website. Often, phishing scammers try to take advantage of situations like this. They pose as legitimate companies and send emails with links to fake websites to try to trick people into sharing their personal information. Marriott says its email will not have any attachments or request any information. Still, the safest bet is to access the informational website by typing in the address, https://answers.kroll.com.

To learn more about protecting yourself after a data breach, visit IdentityTheft.gov/databreach.

Comments

WE ARE VICTIMS OF THE MARRIOT DATA BREACH.

Thank you for this information. Very useful. It is apparent that tighter control over internet information OR stricter penalties for hackers is needed.

I suggest thorough investigation, Marriott should be held responsible, for example, i was traveling out of the country, when i got at the airport (Dulles Airport), i was told that the plane was over booked. i was not offered any refund. they decided to check me in at Marriott Hotel till the next day, i used the hotel computer to browse, and later discovered that my identity has been compromised. too bad

Really? One of the largest breaches ever, and the FTC's response is to put the onus on us - the public - to fix Marriott's incompetence?
Where is the penalty to the corporation that caused this breach, not to mention the aftershock effects of phishing that will no doubt come as a result of this?

Was your information exposed? Marriott has an informational website and a call center, 877-273-9481, to answer questions. Marriott says affected customers can sign up for a year of free services that will monitor websites that criminals use to share people’s personal information. It says the service will alert customers if their information shows up on the websites, and will also include fraud loss reimbursement and other services.

If your information was exposed, take advantage of the free monitoring service, and consider taking the additional steps described in the blog.

Marriott still does not who was impacted; I have asked repeatedly since the issue was first reported. The website is useless and the Kroll employees have a simple script that refers you to the site and credit monitoring. Marriott’s actions are shameful and the FTC needs to force action...or be disbanded as what purpose do you serve?

The fact that this happened 4 years and ago and your company did not even suspect a compromise. What are you doing to appease those who have been affected and the time now we must spend monitoring our credit? Why should our credit card companies be left with any potential losses and the cost to replace our credit/debit cards and thus ultimately pass this cost back to us? It was your company that didn't protect our confidential information and now we must suffer.

If your information was exposed, take advantage of the free monitoring. Marriott has an informational website and a call center, 877-273-9481, to answer questions. Marriott says affected customers can sign up for a year of free services that will monitor websites that criminals use to share people’s personal information. It says the service will alert customers if their information shows up on the websites, and will also include fraud loss reimbursement and other services.

Consider the additional steps listed in the blog. They can help you spot identity theft and stop someone from opening accounts in your name.

Sorry, no, one year of credit monitoring is not enough. I want lifetime monitoring and a guarantee there will be reimbursement if this data is used against me. Please step it up FTC. These guys were negligent for FOUR YEARS.

I believe virtually all fraud and cybercrime will stop automatically if banks implement simple systems they are aware of which will personalise signature, PIN and passwords to the individuals so criminals will not get tempted to use them to make easy money.

I cannot think of any reason why proposed will not restore honesty can you?

That explains the phone call I had today from a “Marriott Property” that I had stayed in recently that I hung up on. Bring on all the annoying phone calls that I will have to block. How do these companies get away with time after time?

I paid for a safe and secure stay at Marriott/Starwood/allProperties and am rewarded with Marriott advising me that I should never have give private information out to begin with...yet it is required by the chain and gov agencies. PATHETIC. that they accepted the responsibility at the time... but now it is my problem... oh yeah if I can prove it was them... Marriott might foot the bill for my new passport...maybe KROLL is the only winner in all of this.

OR it took them 4 years to find out about it ????????????????????

Well done Seena and the above steps will prevent a whole lot of malpractices and prevent credit card fraud in the near future to to Marriott and its entities. Yo did good with this publication. Whoever have ears should listen/hacken to your advise I have paid $12.99 for years to keep up/track with my credit card, and that is hardly enough. It is tough out there especially with most folks being out of work/layoffs/downturns/fluctuation in the economy, anyone could have done that to Starwood Corporation out of frustration. It all comes back.
Best,
Gloria.

need to verify if breach affected me.

I think the breach goes back further than 2014, because I received a spam email posing as Marriott customer service wanting to give me 2 nights free stay voucher to ANY Marriott hotel. the email was sent to my work email, which was used only once at a SPG hotel in 2008.

The problem with all of this is that the names of the companies change but the same result is the same. It seems to be an acceptable business practice to be hacked and throw out some blanket for a false sense of security, in terms of a one year monitoring. These companies will keep the budgets low, raise the amount of insurance coverage and then when a breach occurs, say they are sorry and "your information is important to us" or "we take this very seriously". Yeah NOW that a breach has occured you do. They ride the gravy train until it falls off the track. Then, they win back some of the money via insurance or, simply write it off as a loss the following year. What happens to the consumers? Not much, they are left to tackle these instances by themselves, with a heaping tablespoon of go here, read this and figure it out yourself. Many people behind the scenes don't get it...... they are in an IT field or other profession for years or decades. A victim of ID theft for the first time may not be as technically savvy to the ways of handling all of this. They will go to the bank, demand a new card and they think the issue is over. Thats far from the truth. The process is broken. There is no sure fire way for the corporations to be completely secure from attackers since there are many, many undocumented zero day vulnerabilities that exist. When credit card compnaies start losing billions of dollars, then they will fix a problem. Until then, its on the consumers to drop a corporation that has violated their trust. People won't do this for two reasons. They are creatures of habit, returning to their old ways and forgiving too quickly. And, since there aren't any strict governmental standards in place, or stricter card rules, standards and security, the list of hacked sites outweigh the ones still not hacked. So what do people do? A bunch of nothing, or rant and rave about a class action suit which brings them 50 bucks and another false sense of victory. Its crazy, this is accepted, and the process is so broken that eventually, some one with a brain will figure out a rule to take the ease out of the process and incorporate security once again.

People should also change passwords on other sites if it's the same password as the one they used to login to their Marriott/Starwood online account.

Where are the laws to stop public and private organizations from gathering information from any and all U.S., tax paying citizens?! Why is Experian still listed as one of the credit agencies accessing and holding onto our information?? Why isn't our congress representatives outraged that none of the top Experian principles have not been fired and prosecuted. Our elected represenatives and senators need to take action now!! To protect our privacy and our personal information pass a right to privacy law that punishes those that choose by neglect or purpose to violate the law! Until this occurs no ones Rights are safe going forward! Every year we are seeing more electronic devices innocently being offered as personal assistance devices. BEWARE until we have in place laws to regulate oversite of these electronic devices we are being painfully ignorant and way to trusting.

I went to change my password and delete my payment info, and noticed my account was linked to Facebook, which I did not do. I tried to delete the link but couldn’t. What is going on? Marriott needs to fix ASAP.

What a joke. Pathetic response to an unacceptable breach of trust. People... Remember... the corporations and the government DO NOT CARE about us.

Protect yourself by monitoring your own credit and bank accounts. WHEN it happens, and it will, report it and move on with your life.

We gave up real security when we went to a fiat currency anyway, the only reason your dollars have worth is because someone else will exchange goods for them. Look at Venezuela to figure out how badly this can go when people no longer agree on the value of a dollar.

I received an email sending a link to accept a voucher for two night stay from Marriott as an appology for the my personal data being stolen from them. I think if I clicked the links I would get a virus or worst! Has anyone else receive this type of email?

That's a scam email - delete it! Thank's for spotting that and warning people.

It's good that you didn't click on the links or reply to it. That email is from a scammer who is phishing around for information. Scammers often send emails like that after a breach. They hope people will click on the links and share personal information.

Why doesn't the FTC hold companies liable like individuals are held liable under the Privacy Act? Currently, the Act states if an individual is found guilty of violating this Act they can be fined $5,000. Take I to consideration that with 2017 national annual median income being approximately $61,000, that is about 12% of income. If that were applied to the Marriott breach.. Marriott would owe the government about $2,200,000,000, as in 2017 their annual profit was about $22,000,000,000. I think if corporations were held accountable for their actions like individual citizens are...these breaches in PII security would stop immediately.

Leave a Comment