If you’ve been a legacy Starwood guest, Marriott’s systems likely disclosed much of your personal information to hackers. Marriott announced that the Starwood reservation database was breached. They learned about the ongoing breach in September which they say had been occurring since 2014.
While they aren’t saying this is the end of it — they’ve determined the extent of the breach because hackers made a copy of data on their system and encrypted it and they have “not finished identifying duplicate information in the database” — they are reporting access to about 500 million guest records.
- For about 327 million reservations the data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
- Some number of records also contain credit card numbers and expiration dates. While that data was encrypted, Marriott suggests the possibility that the keys to decrypt the data were taken as well.
They’ve set up a website about the hack and will begin e-mailing affected customers today. They’re also providing one year of free enrollment in WebWatcher to help identify where personal information is found on the internet, and U.S. customers activating WebWatcher will also receive “fraud consultation services and reimbursement coverage for free.”
The company has disclosed to the SEC (.pdf) that they carry insurance for this sort of event and do not expect to take a long-term financial hit from this event.
Marriott has continued to maintain the legacy Starwood system even after integrating to a single loyalty program because not all of their hotels have been moved over to the Marriott property management system. Apparently the breach was discovered when the first round of Four Points hotels were being converted from the Starwood to Marriott system.
Ultimately virtually all large databases either have been or will be breached. So the only thing that’s causing me more than a shrug here – beyond the scale (it’s just a large number!) – is that some of the records contained passport information. Marriott is getting ahead of this notifying customers, providing monitoring and a service that will address costs borne by consumers.