The personal information of up to approximately 500 million guests who made a reservation at a Starwood property may have been accessed in a hack, Marriott has announced.
The hotel chain has admitted that information, including passport numbers may have been compromised for approximately 327 million of those affected.
Marriott’s investigation determined that there was unauthorised access to the database, which contained guest information relating to reservations on or before 10 September 2018.
Leading security experts have been working to determine how this occurred and found evidence of unauthorised access to the Starwood network since 2014.
An unauthorised party had copied and encrypted information, which was later identified as contents from the guest reservation database.
Which? consumer rights expert Adam French said: ‘This data breach is on a colossal scale and it will be of great concern to Marriott customers. It is vital that Marriott provides clear information on what has happened and helps anyone who has been negatively impacted.
‘Anyone worried they could be affected should consider changing their online passwords, monitor bank and other online accounts as well as their credit report to guard against potential identity fraud. Also, be wary of emails regarding the breach, as scammers may try and take advantage of it.’
What did hackers access about Marriott Starwood brand customers?
Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
For approximately 327 million of these guests, the information includes some combination of:
- mailing address
- phone number
- email address
- passport number
- Starwood Preferred Guest (‘SPG’) account information
- date of birth
- arrival and departure information
- reservation date
- communication preferences.
For some, the information also includes payment card numbers and payment card expiration dates, but Marriott says the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
According to the announcement, there are two components needed to decrypt the payment card numbers – and, at this point, Marriott has not been able to rule out the possibility that both were taken.
For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
Read more: What counts as personal data
Has your Starwood guest reservation been accessed?
If you made a reservation at a Starwood brand on or before 10 September, 2018, you might be affected by the breach.
Marriott Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
Marriott began sending emails on a rolling basis on 30 November 2018 to affected guests whose email addresses are in the Starwood guest reservation database.
In response to the breach, Marriott has also set up a dedicated call centre to answer customer concerns, which is open seven days a week.
The UK call number is listed as 0-808-189-1065.
Marriott president and chief executive officer said: ‘We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves.
‘We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre.
‘We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.’
If you are concerned you could be affected, you should:
- Immediately change the passwords you used with Marriott
- If you used the same password on other accounts, change the password on those, too
- Contact your bank to inform them your bank and personal details might have been accessed
- Stay vigilant of scam attempts, including email and phone scams
- If you think you’ve been a victim of cyber crime or cyber-enabled fraud, contact Action Fraud.
Read more: how to spot a scam
Your rights when there’s a breach
If it’s likely that a data breach poses a risk to UK citizens, it’s the company’s responsibility to identify that breach to the ICO.
They should also inform the NCSC if a cyber attack was the cause.
The company must also establish the likelihood and severity of the risk to your freedom and personal data rights following a breach. It’s also required to take steps to reduce any harm to consumers, which involves contacting affected customers.
The company should explain to you:
- the name and contact details of its data protection officer or other contact point that can provide more information
- a description of the likely consequences of the personal data breach
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
Read more: Your rights when there’s been a data breach