Skip to Content
Security & privacy

Another major hotel chain hacked, 500 million customers compromised

Here we go again – another day, another data breach. Travelers have become big targets for hackers these past few months. From the data breaches of major airlines British Airways and Canada Air to the biggest airline security breach of all time in Cathay Pacific, to the Raddison Hotel Group breach, criminals have been busy compromising the data of millions of weary travelers around the world.

And now, following these high-profile breaches, another major hotel chain has suffered a massive breach, this time affecting 500 million customers!

If you made a reservation at one of these hotels these past few years, hackers may now have your data. Read and see if you’re affected and what you can do about it.

Marriott-Starwood hotel chain breach

Marriott has confirmed that it has suffered a massive data breach that has compromised the information of around 500 million guests who made reservations at their Starwood properties.

For approximately 327 million of these guests, the stolen information includes:

  • Name
  • Mailing address
  • Phone number
  • Email address
  • Passport number
  • Starwood Preferred Guest (“SPG”) account information
  • Date of birth
  • Gender
  • Arrival and departure information
  • Reservation date
  • Communication preferences

Worse yet, in some cases, information may include the following:

  • Payment card numbers
  • Payment card expiration dates

Although Marriott said that the payment card information was encrypted, it can’t rule out the possibility that the tools needed for decryption this information were taken too. Yikes!

What happened?

Based on Marriott’s disclosure, the company determined on Nov. 19 that there was unauthorized access to its Starwood guest reservation database. This database contained guest information relating to reservations at Starwood properties on or before Sept. 10, 2018.

The troubling part? Marriott discovered during its investigation that unauthorized parties have been accessing the Starwood network since 2014. That’s more than four years!

Fun fact: Marriott bought Starwood chain of hotels in 2016. Although the Starwood Chain is now part of Marriott, actual Marriott-branded hotels are not affected by this breach.

List of Starwood Hotels. Are you affected?

Here’s a list of Marriott’s Starwood brands. If you made a reservation on one of these hotels these past few years, please do the necessary steps to protect your identity and credit card information:

  • W Hotels
  • St. Regis
  • Sheraton Hotels & Resorts
  • Westin Hotels & Resorts
  • Element Hotels
  • Aloft Hotels
  • The Luxury Collection
  • Tribute Portfolio
  • Le Méridien Hotels & Resort
  • Four Points by Sheraton
  • Design Hotels

What now?

Marriott said that it has reported this incident to the appropriate law enforcement agencies and investigations are now underway. It has started notifying regulatory agencies, as well.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and chief executive officer in an official statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

The company has already started sending notification emails to affected customers whose email addresses are in the Starwood guest reservation database. Keep an eye out for that email (make sure it’s the real deal and not a phishing email, though).

It is also offering a free year’s worth of personal information monitoring from WebWatcher to impacted guests. According to Marriott, “WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. ”

Where to get help?

Marriott has put up a dedicated website and call center to help customers who have questions about this large-scale data breach.

If you have any questions, you can visit its Starwood Guest Reservation Database Security Incident FAQ page.

Since this is an international incident, the call center numbers for each country are listed on this page, too. For U.S. customers, the hotline is 877-273-9481.

What to do after a data breach

Whenever a data breach occurs in any of the services you use, it’s important to take precautionary steps. The Marriott breach is so massive and it will no doubt have long-lasting effects.

  • Scammers will try to piggyback on data breaches like this. Beware of phishing scams and phone calls that pretend to be from Marriott. These are meant to deceive you and steal more of your personal information
  • Even though banking information is not involved, you should already be frequently checking your bank statements, looking for suspicious activity. If you see anything that seems strange, report it immediately to your bank. It’s the best way to keep your financial accounts safe.
  • It’s also a good time to audit your online accounts and passwords. This is especially true if you use the same credentials for multiple websites. 
  • Lastly, if you think you are already compromised, put a credit freeze on your accounts as soon as you can.

Click here to read Marriott’s full statement.

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me