Massive Marriott Data Breach: 500 Million Bookings, Many With Payment and Passport Data

If you’ve been a legacy Starwood guest, Marriott’s systems likely disclosed much of your personal information to hackers. Marriott announced that the Starwood reservation database was breached. They learned about the ongoing breach in September which they say had been occurring since 2014.

While they aren’t saying this is the end of it — they’ve determined the extent of the breach because hackers made a copy of data on their system and encrypted it and they have “not finished identifying duplicate information in the database” — they are reporting access to about 500 million guest records.

  • For about 327 million reservations the data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

  • Some number of records also contain credit card numbers and expiration dates. While that data was encrypted, Marriott suggests the possibility that the keys to decrypt the data were taken as well.

They’ve set up a website about the hack and will begin e-mailing affected customers today. They’re also providing one year of free enrollment in WebWatcher to help identify where personal information is found on the internet, and U.S. customers activating WebWatcher will also receive “fraud consultation services and reimbursement coverage for free.”

The company has disclosed to the SEC (.pdf) that they carry insurance for this sort of event and do not expect to take a long-term financial hit from this event.

Marriott has continued to maintain the legacy Starwood system even after integrating to a single loyalty program because not all of their hotels have been moved over to the Marriott property management system. Apparently the breach was discovered when the first round of Four Points hotels were being converted from the Starwood to Marriott system.

Ultimately virtually all large databases either have been or will be breached. So the only thing that’s causing me more than a shrug here – beyond the scale (it’s just a large number!) – is that some of the records contained passport information. Marriott is getting ahead of this notifying customers, providing monitoring and a service that will address costs borne by consumers.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

  1. […] However, going through all the trouble to insert these devices and printing fake cards seems unnecessary anymore. All the hackers have to do is go after the companies where you used your card. There have been so many hacks in just the last year that it’s hard to remember them all. This article lists thirteen different hacks of corporations in the past year and that was even before the Starwood/Marriott hack that possibly affected over 500 million hotel bookings. […]

Comments

  1. Time for Marriott to pay some compensation for mishandling data. I demand 100K points for Marriott to let it pass and forgive their careless handling of my personal information.

  2. Reading their special website, it seems no passwords were taken …but it’s always a good idea to change your password after these types of events!

  3. I tried to sign up for the monitoring service, using the link on the Kroll informational website established by Marriott. No luck — the monitoring service website is refusing connections.

    Again, Marriott IT is not ready for prime time.

  4. “Ultimately virtually all large databases either have been or will be breached. So the only thing that’s causing me more than a shrug here……. Marriott is getting ahead of this notifying customers”

    You are acting like they deserve some sort of award! I work in IT, to say all large databases have or will be breached is simply untrue. Poor security practices lead to this. Beyond the 3 billion accounts in the yahoo breach, this will be the largest in history. Not to mention the first hotel breach. How can you honestly say Marriott is getting ahead of this? They have known since September! Instead of doing the right thing, they waited until they knew their liability (aka covering their own ass). Its no coincidence they released this info on a Friday, on the last day of the month.

    You also sugarcoated their statement. Yes they have “cyber” insurance but they say they are still trying determine coverage. The most telling part of their statement is this:

    “The Company does not believe this incident will impact its long-term financial health. As a manager and franchisor of leading lodging brands, the Company generates meaningful cash flow each year with only modest capital investment needed to grow the business.”

    To put it another way, they put in minimal effort and since they own so many hotels, the know people will stay regardless.

  5. Of course, the registration page for the web monitoring asks for social security number, passport number, etc. It seems to me that is just doubling down on the risk. Anyone ITB know whether witholding those items and just doing name, address and phone numbers would make the monitoring less effective?

  6. They might not see financial effects but what about ME. If my passport number gets compromised, who has to deal with it: ME, If my cards get compromised, who has to take time out my day to get new ones sent to wherever in the world I am: ME!

  7. @Luke H You post “it seems as no passwords were taken”. Reread this article. It says the passwords taken were encrypted but the encryption keys information needed to decode the encryption was also “possibly” stolen.

  8. Actually tried to change the pw on the marriott account, and got a ‘General Error’ after trying to confirm the change with the confirm code they sent. Lol Marriott IT

  9. Maybe if companies were required to give each person affected by a breach several thousand dollars each, they would put in better security. They just lost me as a customer.

  10. I can understand why a person that has their data exposed would be upset. But the “woman left overnight in a wheelchair at the airport” story should make reasonable people stop and try to find out the FACTS before they rush to judgement. It would be nice if every thing that happens to us we would be compensated for, but that does not happen in the real world. There are no “bonanzas” especially when the situation did not personally cost you any money. No one likes it but that is the way it is. Did Marriot try to buy the least expensive cyber security available? Or are the hackers becoming more and more sophisticated, leaving the security firms one step behind the power curve and reactionary? I do not know the answers but without all of the information I am slow to pass judgment on any company.

  11. When I went to change my password and delete my payment info via Marriott’scapp, I noticed it was linked to Facebook. I did not link my account to Facebook and further, I could not remove the link to Facebook. Marriott needs to fix this ASAP. Will be reporting this to the feds.

  12. I created an email address just for travel accounts. I’ve had 1-2 spam messages per year for the past 2-3 years, so never an issue. I just signed up for the web watcher service using the travel account and I am literally getting 30-40 spam messages per day. I’m not saying there is causality, but am interested if anyone has had a similar experience?

  13. My Marriott Rewards account was broken into by what looks like Chinese hackers. They setup a United account and transfed over 1.6 million points. United detected the problem when they tried to purchase 7 airline tickets to China and called me to see if I authorized this. United transferd the points back to my Marriott account. It took over 10 days to fix the problem they created in my Marriott account, phone numbers, emails, password that they changed. Had to send Marriott proof that I was the owner. Because American Airlines was in my Marriott account, next they hit my AADVANTAGE account and booked a flight from China to Egypt. Why I never received any emails about these charges to my account, because the hackers went into my email account and set filters and any message from Marriott, American Airlines, United Airlines was sent to TRASH. I repeat TRASH. You might want to see if filters have been set on your email account.

  14. The merger benefits Marriot Rewards people more than us loyal SPG people. We lost some perks, and some service. SPG was the best program. I wonder if this breach would have happened if Starwood would have not been merged into Marriott. Several high end Starwood hotels have left now that Marriott is in control. Wonder why? Some changes are not good. I have been disappointed by this merger, and now Marriott has even less credibility.

Leave a Reply

Your email address will not be published. Required fields are marked *