Marriott Hacked – Up To 500 Million Starwood Accounts Are Affected


Some links to products and travel providers on this website will earn Traveling For Miles a commission which helps contribute to the running of the site – I’m very grateful to anyone who uses these links but their use is entirely optional. The compensation does not impact how and where products appear on this site and does not impact reviews that are published. For more details please see the advertising disclosure found at the bottom of every page.


Here we go again! What is it with big corporations and their inability to keep our information safe?!

We’re only just getting over the Cathay Pacific hack and the debacle that was the British Airways hack and now we’re being told that Marriott’s Starwood database (containing the information of 500 million customers) has been compromised by an “unauthorised party”.

The Marriott/Starwood Hack – What Happened?

Marriott has said that on 8 September 2018 an internal security tool detected an unusual attempt to access Starwood’s US guest reservations database.

The hotelier called in security experts to investigate and to determine what had transpired and, on 19 November, the investigation determined that there was an unauthorised access to the database “which contained guest information relating to reservations at Starwood properties on or before September 10, 2018“.

Alarmingly, Marriott has confirmed that the investigation has learned that there has been unauthorised access to the Starwood network since 2014!

Whoever has been accessing the Starwood database has copied and encrypted information and apparently “took steps towards removing it“.

On 19 November Marriott was able to decrypt the information that was accessed and has determined that “up to approximately 500 million guests who made a reservation at a Starwood property” (including timeshares) had their information compromised.

What Information Has Been Accessed?

So far Marriott can only confirm that, for 327 million of these guests some combination of the following has been exposed:

  • Name
  • Mailing address
  • Phone number
  • Email address
  • Passport number
  • Starwood Preferred Guest account information
  • Date of birth
  • Gender
  • Arrival and departure information
  • Reservation date
  • Communication preferences

For “some” of these guests Marriott says that payment card numbers and payment card expiration dates were also accessed but that the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

Here’s a very important bit from Marriott’s announcement:

There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

For the remaining guests (presumably the remaining 173 million of the 500 million originally mentioned) the information accessed was “limited to name and sometimes other data such as mailing address, email address, or other information”.

What I’d like to know is this:

Is the affected information just related to people who made reservations at Starwood properties or has the SPG database been compromised as well?

I realise that the information in the two databases probably overlap quite significantly but it would still be good to know if SPG was breached as well.

What Is Marriott Doing Now?

Marriott says that it is cooperating with law enforcement and “continues to support their investigation

Marriott will begin sending emails on a rolling basis starting today, 30 November 2018, to affected guests whose email addresses are in the Starwood guest reservation database.

The hotelier has….

  • Set up a dedicated website for anyone seeking further information (info.starwoodhotels.com)
  • Announced a “guest support” email address via the risk management team it has engaged ([email protected])
  • Provided a phone number for those who believe they may be affected (877-273-9481) and added a special option to the regular Marriott phone lines which will direct guests to the appropriate department.

Marriott is also providing guests with the option of enrolling in WebWatcher free of charge for 12 months (enrol via info.starwoofhotels.com).

Thoughts

My initial reaction to this can’t be reproduced here because it’s simply too rude and inappropriate – I’m staggered by this.

How is it possible for Starwood’s systems to have been compromised for over 4 years and only now has someone noticed?!

4 years???!!!

Alex Cruz over at BA must be delighted by this – Starwood has just done the seemingly impossible and made BA’s inability to spot a breach for over 14 days look perfectly reasonable and timely.

I’ve already read people saying that this isn’t all that big of a deal because the credit card companies cover us for any fraud that takes place….but anyone saying that is completely missing the point – this isn’t just about credit card details.

Marriott has admitted that some people’s passport numbers were compromised (possibly with their names, addresses, dates of birth, gender and a whole host of other information).

This is incredibly sensitive information (how many people know your passport number?) and goes well beyond having your credit card details stolen.

If someone tries to use your credit card (or succeeds in using your credit card) without your permission you’re just going to be inconvenienced by having to get the card replaced (which you can do in as little as 24 hours) but having your personal data stolen is a whole other ball game.

I’d like to take some solace in the fact that this information has been compromised since 2014 and we haven’t heard of any major incidents as a result but the fact that someone was still accessing the information in September means that the hacker(s) are still very active and are still attempting to use whatever information they have.

Bottom Line

Personally I’ve made a number of Starwood reservations since 2014 so I’m definitely caught up in this but I’m probably one of the more fortunate ones – none of my reservations had my passport number attached to them, none of my reservations were made using credit cards details that are still active (the BA hack took care of that) and none of my reservations had my home address associated with them…so, hopefully, there shouldn’t be too much a hacker can do to me.

If you think you’re one of the 500 million affected by this (and if you’re reading this miles & points blog you probably are) it may be time to change whatever information you can (don’t change your name…that’s going a bit far 🙂 ).

Passwords and credit cards are the easiest to change and you may with to consider altering the email address you use for any Starwood reservations you made. After that you just need to remain vigilant and keep a close eye on your credit cards and your credit reports – possibly set up a monitoring service as Marriott suggests.

Travel Rewards Credit Cards

3 COMMENTS

  1. If this was just on the Starwood side I assume you want to update any Marriott information so it doesn’t mirror the information on the Starwood system. Stuff like credit card number, password, etc. 4 years is a long time but I think 2 1/2 months to investigate is also too long.

    • Agreed – keeping completely separate details across accounts is always a good idea.

      Yes, I’m not sure what took Marriott (and its security advisors) all that time, perhaps the sheer number of accounts and the encryption slowed everything down? Still, one it was clear there had been a breach I would have thought Marriott should have come out and said something straight away even if they didn’t have all the facts to hand.

  2. Great thanks Marriott maybe this is another reason that some of my reservations at SPG locations have been changed and moved the last three weeks. I still have not felt comfortable the IT Team at Marriott knew what they were doing a year ago when they started update their own system.

LEAVE A REPLY

Please enter your comment!
Please enter your name here