Up to 500 million consumers have had their personal information compromised in a data breach of Marriott-owned Starwood hotels, which includes high-end properties such as Westin, W, Sheraton, St. Regis, and Aloft. 

The breach includes the customer's name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. 

"This is a massive breach—the number of affected consumers is bigger than the entire population of the U.S.—and it involves lots of sensitive personal information, including passport numbers and travel history," says Dan Guido, founder of the security firm Trail of Bits. 

More on Digital Privacy

The compromised data also includes payment card information and card expiration dates. The company reported that the payment information was encrypted but the company could not rule out the possibility that the elements needed to break the encryption were also taken in the breach.

The Marriott security breach involves unauthorized access to the Starwood guest database stretching back to 2014. The breach does not affect customer information from Marriott hotels, which was stored in a different database. 

In addition to the Marriott brands cited above, the breach affects Element Hotels, The Luxury Collection, Tribute Portfolio properties, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels, and Starwood-branded timeshare properties. 

Consumers Being Contacted

Starting today, Marriott says it has begun contacting affected customers by e-mail but hasn't finished that process. The emails will come from "starwoodhotels@email-marriott.com."

The company also established a dedicated webpage and call center to answer consumer questions about the incident. The page has a link with call center numbers around the world; the  number in the United States and Canada is 877-273-9481. The call center will be open seven days a week and assistance is available in multiple languages, the company says. 

Marriott is also providing guests the opportunity to enroll in Kroll's Web Watcher Monitoring Service free of charge for one year. Web Watcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.

Consumers from the United States who activate Web Watcher will also be provided with free fraud consultation services and reimbursement coverage for free. To activate Web Watcher, go to info.starwoodhotels.com. Marriott says Web Watcher or similar products are not available in all countries.

According to a Marriott spokesman, the company first detected an unauthorized attempt to access the Starwood guest reservation database on September 8, but didn't determine the details of the data breach until November 19. 

A newly enacted European law, the General Data Protection Regulation [GDPR] requires companies to report data breaches within 72 hours. The law subjects companies to the potential for large penalties based on a percentage of their revenues for failing to report a breach in a timely manner. Privacy experts suggested that GDPR compliance is one reason why Facebook went public with a data breach in October within three days of its discovery even though details were still emerging. Marriott is an international company and would be subject to GDPR. 

There does seem to be some good news in Marriott's response to the crisis. "Anyone who thought a company as large and data rich as Marriott would not get hacked is naive," says Guido. "The unexpected part of this story is that Marriott has the competency to investigate it so thoroughly, including data logs that reach back four years."

This latest data breach highlights the need for further protection of consumer privacy. "We are troubled that companies continue to not prioritize the security of consumer information and yet face little consequences after massive data breaches that disclose information about millions of consumers," says Katie McInnis, policy counsel at Consumer Reports. "Although states have led the way on data breach legislation, we need a strong data privacy law at the federal level to incentivize companies to protect the consumer information they have been entrusted with." 

Passport Data at Risk

The Starwood breach involved a significant amount of personal information, allthough it doesn't involve the same amount of financial data as, say, last year's massive Equifax breach.

"Because the breach doesn't include unencrypted financial information, it might not be covered by a lot of state breach notification laws," says Justin Brookman, director of consumer privacy and technology policy for Consumer Reports. "But there's still private information in there that you might not want the world to know about, and could be used to potentially embarrass or blackmail someone."

The inclusion of passport information for some hotel customers makes this an unusual data breach. Passport information is particularly valuable to anyone trying to steal a consumer's identity. Like a Social Security number, it's considered by most financial institutions to be information that can definitively identify a person, and it can't easily be changed. 

What Consumers Can Do

Here are some  steps you can take to protect yourself:

  • Check with Marriott to determine if your information may have been compromised and consider signing up for Web Watcher.
  • Monitor your own financial information on a regular basis, including your credit card bills, bank statements, and credit report.
  • Consider a credit freeze to make it harder for cybercriminals to apply for loans, credit cards, and wireless phones using your personal information.
  • Be wary of spear phishing scams. The very specific data included in this breach–including travel history–could be used by cybercriminals to lull victims into a scam. Criminals could also contact consumers claiming to be associated with Marriott. So be aware of e-mails and callers using this kind of information. 
  • Going forward be as stingy as possible with your personal information. Consider the risk-reward before you sign up for affinity promotions like hotel rewards programs. And whenever possbile decline to offer personal information. When that information is required, use a burner e-mail set up just for that purpose, or even your work accounts and phone numbers, rather than your personal information.

Editor's Note: This article has been updated with additional information about when the Marriott data breach was discovered.