Up to 500 million Starwood guests’ information has been compromised. Here’s how to know if you have been affected and some of the next steps to take.
Marriott International announced on Friday that up to 500 million guests who made a reservation at one of its Starwood properties on or before September 10, 2018, may have had their information stolen in what experts are calling one of the biggest data breaches in history.
Marriott acquired Starwood Hotels & Resorts Worldwide in 2016, bringing all of the Starwood brands into the Marriott fold. The breach impacted reservations made at Starwood properties (listed below), and not at Marriott properties (such as JW Marriott, Ritz-Carlton, Residence Inn, and Moxy), which operate on a different reservation system.
Here’s what Starwood guests who are concerned about what this could mean for them should know.
Who was impacted?
According to a statement from Marriott, an investigation found that an unauthorized party had gained access to the Starwood guest reservation database going back to 2014—yes, that’s four years of access. So, in other words, if you made a reservation at a Starwood property between 2014 and September 10, 2018, your information may have been hacked.
The Starwood brands include the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels. Starwood also consists of branded time-share properties.
If your information was compromised, there is a good chance you will get an email notification if Marriott has an up-to-date email address for you. Marriott said that it had begun sending emails to affected guests on Friday, and that it would continue to do so on a rolling basis.
What was taken?
According to Marriott, information taken from approximately 327 million of the 500 million impacted guests included some combination of their name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, credit card numbers, and credit card expiration dates.
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” the company stated.
For the remaining guests, the information taken was limited to their name and sometimes other data such as their mailing address or email address.
If you think your data may have been stolen, what should you do?
First off, for anyone with questions or concerns about the data breach, Marriott has established a dedicated website and call center (which can be reached at 877-273-9481) to answer questions guests may have about the incident.
Marriott is also giving guests from the United States, Canada, and the United Kingdom the option to enroll in WebWatcher—which monitors sites where personal information is shared and generates an alert to the consumer if their personal information is found—free for one year. Guests from the United States who activate WebWatcher will also be given free fraud consultation services and reimbursement coverage.
CreditCards.com industry analyst Ted Rossman recommended that those impacted freeze their credit to prevent criminals from opening new lines of credit in their name.
“The names, addresses, passport numbers, and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted,” stated Rossman. “People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
So, what exactly does freezing your credit entail? According to Experian, one of the three major credit bureaus that need to be informed in order to execute a credit freeze (the other two being Equifax and TransUnion), when you freeze your credit report, a fraudster trying to apply for a credit card in your name would have his or her application rejected because the bank would be unable to verify your credit score.
The drawback, according to Experian, is that it can cause delays if you are actually trying to access credit for yourself, such as for a loan or credit card. As an alternative to freezing credit, the agency suggested signing up for a fraud alert with the three credit bureaus. When you have a fraud alert on your credit report, lenders must verify your identity before they issue you credit or a loan — and the alert will stay on your report for one year.
What’s next for Marriott?
Marriott has reported the breach to law enforcement officials and regulatory authorities, which have launched an investigation.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and CEO, said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Sorenson said the company is working with security experts to improve its systems. Additionally, it will phase out the Starwood systems, and will be making ongoing security enhancements to its network.