Breaking Down the Marriott-Starwood Security Breach

As the dust continues to settle from the Starwood guest reservation database security breach–which affects millions of business and convention travelers, as well as vacationers and tourists–potential victims are still waiting to hear the fate of their personal data. An investigation has determined that the guest information accessed without authorization was related to reservations at Starwood properties on or before Sept. 10, 2018.

“Marriott learned during the investigation that there had been unauthorized access to the Starwood networks since 2014,” the hotelier said in a news release. “The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On Nov. 19, 2018, Marriott was able to decrypt the information, and determined that the contents were from the Starwood guest-reservation database.”

While Marriott has not fully identified all duplicated information, here’s what has been determined:

  • The database breach contains information on up to approximately 500 million guests who made a reservation at a Starwood property, not a Marriott. While Marriott International is the parent company of Starwood, Marriott Hotels use a separate reservation system that is on a different network.
  • Starwood properties include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton, Design Hotels that participate in the Starwood Preferred Guest program and Starwood branded timeshare properties.
  • For 327 million guests, the information accessed includes a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
  • For some guests, it also includes payment card numbers and payment card expiration dates.
  • For remaining guests, information was limited to name and other data such as mailing address or email address.

Marriott noted that it has reported the incident to both law enforcement and regulatory authorities.

How does Marriott advise guests to proceed?

If you’re concerned that your information could be included in this breach, keep an eye on your inbox. The company began sending e-mails on Nov. 30 to affected guests that have their e-mail address in the Starwood guest-reservation database. The e-mails will continue to be sent on a rolling basis from the address Additionally, Marriott has also established a website and call center to answer questions about the incident, and advised guests to enroll in WebWatcher, which according to Marriott, “monitors internet sites where personal information is shared and generates an alert if evidence of your personal information is found.”

Moving forward, Rodney Pattison, chief technology officer at Acendas Travel, says to beware of people preying on victims of the breach. 

“After a large-scale incident like this, fraudsters from around the world will inevitably jump at the chance to try and catch a few unsuspecting people out,” Pattison said. “If you receive any emails purporting to be from this incident or such – like mentioning it, asking for any personal information, or to click on unverified links–discard them.”

Although both Pattison and Brent Blake, president of Acendas, noted that from a traveler’s perspective, these kind of incidents are virtually unavoidable, the pair offered further tips for navigating a security breach if your information, specifically your credit or debit card, is involved:  

  • Call your bank or card issuer, cancel the card and request a new card. No bank will ever mind being contacted for you being cautious.
  • You’ll also want to check your card statements for suspicious activity or purchases online–in particular, small amounts, just in case they are testing your card before a larger transaction is placed online. It also might be worth adding extra fraud-alert security on your account.
  • And it goes without saying, change your password. After any breach of such velocity, it is always a good idea to change your passwords along with the same ones used on other websites.