If You Ask Marriott If Your Data Was Stolen, Plan to Wait a Month to Hear Back

Marriott’s data breach, disclosed at the end of November, compromised 383 million records including 5.25 million unencrypted passport numbers and 8.6 million payment cards. Marriott claims most credit cards were expired which means they have that information, but even though they’re telling me my credit card number was compromised they aren’t telling me the expiration date of the card.

Marriott did let me know that the hack of their systems released my unencrypted passport number as well. Even this information isn’t helpful because they don’t let me know which number or whether or not it’s expired.

And why Marriott was even hanging onto this data in the first place, beyond when it was necessary to complete transactions? Arne Sorenson would have you believe keeping passport numbers on file was to make it easier for you to reserve rooms, blissfully unaware that it is not necessary to input a passport number at Marriott.com in order to make a booking.

Even if Sorenson wasn’t completely making this up, what on earth where they keeping the data unencrypted for? Marriott wants to blame Starwood for this but they have been managing the servers for a couple of years during which time the data has been sitting unencrypted and they’ve largely played coy about the timeline of the breach.

They made an offer to submit your information and find out whether or not your data was included in the data breach. It took over a week for Marriott to respond to me, but readers keep emailing telling me that over two weeks later they’ve heard nothing.

I’ve continued pressing Marriott for a timeline, how long it will take customers who have submitted even more information to them to find out if their data was part of the breach? They’ve finally shared,

Our goal is to respond to guests within 30 days (which is consistent with many regulatory expectations), but we hope to reduce that time as we work through the initial wave of requests. We are prioritizing requests related to unencrypted passport numbers, and anticipate completing those outstanding requests this week.

Thirty. Days. And that’s a ‘goal’.

They want you to know they are not breaking the law (‘consistent with regulatory expectations’) which is apparently their standard for customer service.

Words fail.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. Good one, Gary. Keep banging thus drum. Marriott’s handling of this is horrible.

  2. “We are prioritizing requests related to unencrypted passport numbers.”

    And how can they do that?

  3. What about their new draconian cancellation policy that is not disclosed without digging 3 screee in?

  4. I’m going to offer this up not as an excuse for Marriott (as 90% of all my stays are now at Hilton), but as a logical reason they are doing something that on its surface seems so consumer unfriendly:

    It is well-known in intelligence circles that this whole hack was related to Anbang’s failed attempt to buy Starwood. The Chinese government literally stole all information that Starwood had on file and is using it for who knows what. Marriott is probably getting huge pressure from Intelligence agencies to let them do their investigating, while also having to deal with irate customers.

    Again, not an excuse for the disastrous Marriott merger, but probably puts it into a new light as to why this is likely going on.

  5. So I contacted Starwood/Marriott’s KROLL Call Center and the complete idiots that answer the phones don’t actually know anything. They want all your credit card information and passport numbers to pass on to someone else who will get back to me. I said NO WAY. So after a lot of e-mail back and forth they finally suggested I contact Marriott directly at MarriottDPO@marriott.com
    I e-mailed them and they responded immediately saying they will look into it for me (note I never gave them my SPG number or any other personal info).
    About 21 days later, I received the following e-mail (below). I never worked at Starwood. Obviously a form letter which still doesn’t answer any questions – just creates more questions. Also it’s hilarious that they refer you to http://www.starwoodhotels.com which itself reverts to Marriott !

    Dear xxxxxxxxxx,

    We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident.

    Based on the information you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:

    Name
    Company Name
    Gender
    Address Information
    Primary Email Address
    Primary Phone Number
    Other Phone Information
    Encrypted Passport Number
    Credit Card Expiration Date
    Credit Card Type
    Encrypted Credit Card Number
    Starwood Preferred Guest (SPG) Number
    Starwood Preferred Guest (SPG) Loyalty Status and Balances
    Guest Frequent Traveler Program Information
    Starwood Executive Traveler Number
    Guest Opt-In Preferences
    Email Communication Preferences
    Reservation Details
    Central Starwood Unique Record Locator
    Returning Guest Indicator (Y/N)
    Employed at Starwood (Y/N)
    Record History Information

    Where available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com.

    If you have further questions or requests regarding this information, please let us know.

    Thank you.

    Greg Reid
    Data Protection Officer
    Marriott International, Inc.
    10400 Fernwood Road, Bethesda, MD 20817
    United States of America
    MarriottDPO@marriott.com

  6. They replied to me as well today..
    “Dear xxxxxxxxxxxxxxxxxxxxxxx
    We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident.
    Based on the information you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:”
    blah blah blah…

Comments are closed.