Up to 383 million Starwood guests’ information has been compromised. Here’s how to know if you have been affected and some of the next steps to take.
Last Friday, Marriott International announced that the number of guests affected by the hotel group’s massive data breach may not be as far-reaching as initially estimated.
In November, Marriott said that up to 500 million guests who made a reservation at one of its Starwood properties on or before September 10, 2018, may have had their information stolen in what experts are calling one of the biggest data breaches in history. Now the company has lowered the count to 383 million customers, or less, since there "appear to be multiple records for the same guest," Marriott said in a statement.
Marriott acquired Starwood Hotels & Resorts Worldwide in 2016, bringing all of the Starwood brands into the Marriott fold. The breach impacted reservations made at Starwood properties (listed below), and not at Marriott properties (such as JW Marriott, Ritz-Carlton, Residence Inn, and Moxy), which operate on a different reservation system.
Here’s what Starwood guests who are concerned about what this could mean for them should know.
Who was impacted?
According to a statement from Marriott, an investigation found that an unauthorized party had gained access to the Starwood guest reservation database going back to 2014—yes, that’s four years of access. So, in other words, if you made a reservation at a Starwood property between 2014 and September 10, 2018, your information may have been hacked.
The Starwood brands include the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels. Starwood also consists of branded time-share properties.
If your information was compromised, there is a good chance you will get an email notification if Marriott has an up-to-date email address for you. Marriott said that it had begun sending emails to affected guests on Friday, and that it would continue to do so on a rolling basis.
What was taken?
Marriott initially believed that information was taken from approximately 327 million of the 500 million impacted guests included some combination of their name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, credit card numbers, and credit card expiration dates.
In Marriott's most recent statement, the company believes that only 383 million records were involved in the incident. Marriott also now believes that around 5.25 million unencrypted passport numbers were accessed along with 20.3 million encrypted passport numbers (there is no evidence that shows the master encryption key was accessed for those encrypted passport numbers).
While 8.6 million encrypted payment cards were also involved in the incident, Marriott said that 354,000 cards were still unexpired as of September 2018.
"There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers," the company stated.
For the remaining guests, the information taken was limited to their name and sometimes other data such as their mailing address or email address.
If you think your data may have been stolen, what should you do?
First off, for anyone with questions or concerns about the data breach, Marriott has established a dedicated website and call center (which can be reached at 877-273-9481) to answer questions guests may have about the incident.
Marriott is also giving guests from the United States, Canada, and the United Kingdom the option to enroll in WebWatcher—which monitors sites where personal information is shared and generates an alert to the consumer if their personal information is found—free for one year. Guests from the United States who activate WebWatcher will also be given free fraud consultation services and reimbursement coverage.
CreditCards.com industry analyst Ted Rossman recommended that those impacted freeze their credit to prevent criminals from opening new lines of credit in their name.
“The names, addresses, passport numbers, and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted,” stated Rossman. “People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
So, what exactly does freezing your credit entail? According to Experian, one of the three major credit bureaus that need to be informed in order to execute a credit freeze (the other two being Equifax and TransUnion), when you freeze your credit report, a fraudster trying to apply for a credit card in your name would have his or her application rejected because the bank would be unable to verify your credit score.
The drawback, according to Experian, is that it can cause delays if you are actually trying to access credit for yourself, such as for a loan or credit card. As an alternative to freezing credit, the agency suggested signing up for a fraud alert with the three credit bureaus. When you have a fraud alert on your credit report, lenders must verify your identity before they issue you credit or a loan — and the alert will stay on your report for one year.
What’s next for Marriott?
Marriott has reported the breach to law enforcement officials and regulatory authorities, which have launched an investigation.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and CEO, said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Sorenson said the company is working with security experts to improve its systems. Additionally, it will phase out the Starwood systems, and will be making ongoing security enhancements to its network.
This article originally appeared online on November 30, 2018; it was updated in January 2019 to include current information.