Marriott Data Breach Compromised 500 Million Starwood Guest Accounts
Marriott, one of world’s largest hotel conglomerates, said today that the guest reservation system of Starwood hotels, a group of properties which it acquired in 2016, was hacked, potentially leading to the compromise of data from 500 million guests who made a reservation at a Starwood property from 2014 through September 10th of this year. Starwood hotels includes the Sheraton, Westin, W, and St. Regis hotel chains.
Marriott, which has 5,700 properties in more than 110 countries, discovered unusual computer activity in September, and, after hiring cybersecurity experts to analyze the goings on, came to the understand last week the nature and scope of the compromise. The firm noted that for 327 million people, the information potentially exposed includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” Furthermore, for some guests, payment card numbers and payment card expiration dates may have been taken – that data was encrypted, but it is not clear if the two components needed to decrypt the data were also stolen, and, as such, it is possible that hackers were able to decrypt stolen credit card numbers.
Interestingly, one clue that I received earlier this week that something might be amiss was that emails that I sent to Marriott’s frequent traveler customer-support department — which are normally returned quite quickly — received an auto-response that responses might not be sent for as long as two weeks.
One important note which seems to be missing from many media reports – the breach is believed to impact only people who made reservations via the Starwood system; people who have been booking hotels via Marriott’s system (including myself) appear to be unaffected.
According to its statement, Marriott has established a dedicated call center to answer questions people may have about the incident, is sending emails to affected guests, and is offering impacted people a one year subscription to the WebWatcher personal information monitoring service.
I wonder, however, if the biggest danger isn’t virtual: especially for folks who travel alone and regularly, criminals knowing travel patterns creates all sorts of physical security risks.
For more details, please see Marriott’s statement.