Marriott International announced today that it is the latest target for a data breach and that the information of up to 500 million guests may have been accessed by hackers through its Starwood reservations database. In 2016, Marriott bought Starwood properties, which include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Key details about the breach:
- Information of customers who made reservations on or before Sept. 10, 2018, at a Starwood property may have been involved. Investigators believe hackers have had access to Marriott’s system since 2014.
- Data mined from the hack included payment card numbers and payment card expiration dates. A statement from the company explained that a more advanced encryptions method was used, requiring two components to decrypt the payment card numbers. However, Marriott warned that it is still investigating and cannot rule out the possibility that both components were taken.
- Hackers also obtained other personal data about guests including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.
- Only guests using the Starwood reservation system were affected. Marriott uses a separate reservation system and is on a different network.
- Marriott has established a website for more information about the database security incident.
- Today, Marriott will begin emailing guests whose email addresses were in the Starwood guest reservation database. The email will come from the following email address: firstname.lastname@example.org. The email will not contain any attachments or request any personal information and any links will only take email recipients back to the web page dedicated to the incident.
- Marriott warns SPG guests to monitor their SPG account for any suspicious activity and to review payment card account statements for unauthorized activity. Immediately report such activity to the bank that issued the card.
- Be vigilant against third parties attempting to gather information by deception (commonly known as “phishing”), including through links to fake websites. Marriott will not ask you to provide your password by phone or email.
- If you believe you are the victim of identity theft or your personal data has been misused, you should immediately contact your account provider and local law enforcement.
On Sept. 8, 2018, the company was alerted that an unauthorized attempt to access the Starwood Guest reservation database in the U.S. had occurred. Hackers encrypted the stolen information most likely to prevent detection by data-loss prevention tools. The hotel giant wasn’t able to decrypt the stolen information until Nov. 19.
“Living in a digital society places consumers at a higher risk for identity theft, but companies are required to take specific measures to protect their customers’ data,” said Andrew Brashier, a lawyer in Beasley Allen’s Consumer Fraud Section. “Hackers are constantly figuring out new ways to gain access to personal information, so it is incumbent on vendors to stay equally aware and take new and more effective steps to better protect their customers’ data and privacy. Consumers who are victims of a data breach or identity theft should take immediate action to minimize the risk to their credit score and financial accounts.”
Beasley Allen attorneys are investigating reports of consumers affected by the Marriott International/Starwood data breach. If you receive notice that your data has been compromised, please contact Beasley Allen for a free consultation.