Breach Brief – Marriott Starwood

Breach Brief – Marriott Starwood

Marriott Hotel chain announced a massive data breach involving 500 million customers worldwide. According to company officials for the past four years an unauthorized party had access to credit card numbers and expiration dates, passport numbers and birth dates of Marriott Starwood customers. 

A data breach of this size is considered record breaking for both its size and the duration that hackers had access. Most data breaches last only about 90 to 200 days before discovery. This breach dates back to 2014 and was only discovered in September. Last year’s Equifax data breach was a fraction of the Marriott breach hitting only 145 million people. Though the company announced the breach today internal security measures signaled a potential breach in early September. However the company could not decrypt the data defining what information had been exposed until last week.

Marriott purchased the Starwood Chain in 2016 and it appears only those hotels were affected. The chain includes The W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury CollectionLe Méridien and Four Points. Starwood’s timeshare properties were also included in the breach. None of the Marriott chains are believed affected.

Exposure of such combined vital information such as passport numbers and birthdates makes identity theft much easier. However, passports are usually used in person and employ a bevy of security measures to prevent counterfeiting. 

To their credit Marriott has reacted quickly to the breach. According to Marriott’s data breach website there is a dedicated call center for customers who need additional information and Marriott will be notifying affected customers via email.  Marriott Call Center Numbers for the U.S and Canada are 877-273-9481. For numbers to other countries please visit the Marriott website. Customers can also email Marriott at [email protected]. Marriott is also offering enrollment  in WebWatcher service free for a year. The WebWatcher service monitors criminal websites for stolen or compromised personal information. The service is not available for all countries.

Marriott also offered the following tips to protect its customers from fraud and identity theft.

  • Monitor your SPG account for any suspicious activity.
  • Change your password regularly. Do not use easily guessed passwords.
  • Do not use the same passwords for multiple accounts.
  • Review your payment card account statements for unauthorized activity and immediately report unauthorized activity to the bank that issued your card.
  • Be vigilant against third parties attempting to gather information by deception (commonly known as “phishing”), including through links to fake websites.
  • Marriott will not ask you to provide your password by phone or email.
  • If you believe you are the victim of identity theft or your personal data has been misused, you should immediately contact your national data protection authority or local law enforcement.