As many as 500 million people who made reservations at Starwood properties may have had their personal information accessed in a breach that lasted as long as four years.
The hotelier said it determined Nov. 19 that a breach had occurred involving the Starwood guest reservation database, which has information on reservations at Starwood properties made on or before Sept. 10, 2018.
Marriott said it got an alert Sept. 8 about an attempt to access the Starwood database in the U.S., and enlisted security experts to assess the situation. During the investigation, Marriott learned there had been unauthorized access to the Starwood network since 2014, the company says.
An unauthorized party had copied and encrypted information from the database and had taken steps towards removing it, Marriott says. The company was able to decrypt the information on Nov. 19 and found that the contents were from the Starwood guest reservation database.
Marriott has not finished decrypting the duplicated data but says it contained information on as many as 500 million guests who made a reservation at a Starwood property. For about 327 million of them, Marriott says, the data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Any guest who made a Starwood reservation, regardless of whether they are a Starwood Preferred Guest member, may have had their data involved in the breach, Marriott says. For some Starwood guests, the data may also include payment card numbers and payment card expiration dates, but the payment card numbers were encrypted, Marriott says.
Still, Marriott has not been able to rule out the possibility that the breach led to that data being accessed. For the remaining guests, the information was limited to name and possibly other data such as mailing address, email address, or other information.
Marriott has notified regulators about the breach and continues to work with law enforcement on the investigation, the company says.
“We deeply regret this incident happened,” said Marriott President and CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott completed its $13 billion acquisition of Starwood Hotels and Resorts in September 2016 to make the combined company the largest hotel chain in the world with more than 5,500 hotels at the time. Marriott now has more than 6,700 hotels.
After the merger, members of the Marriott Rewards and Starwood Preferred Guest programs were able to link their accounts. However, Marriott uses a separate reservation system on a different network for Marriott hotels.
Starwood Hotels include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
Marriott says it will begin Friday emailing guests whose email addresses are in the database. The company says it will provide free of charge online account monitoring software WebWatcher to guests for one year. The service reimburses fraud loss of up to $1 million. U.S. customers who use it will also get fraud consultation services and reimbursement coverage for free.
To enroll in WebWatcher and get additional information about the breach, customers can go to info.starwoodhotels.com.
Other steps Marriott recommends to guest potential hit in the breach:
•Monitor your Starwood Preferred Guest account for suspicious activity.
•Change your password. Do not use easily guessed passwords or the same passwords for multiple accounts.
•Review your credit card statements for unauthorized activity and immediately report any to your bank.
•In the wake of data breaches, consumers should be wary of third parties attempting to gather information by deception, so-called "phishing" attempts, including through links to fake websites. Marriott will not ask you to provide your password by phone or email.
•If you think you may be the victim of identity theft – or your personal data has been misused – immediately contact law enforcement and the Federal Trade Commission. On the FTC's site, it recommends consumers get a free, one-year fraud alert from one of three credit bureaus – Equifax, Experian, or TransUnion.