Skip to main content

Marriott suffers a massive breach of its guest records. Here’s how to protect yourself

Marriott gives update on its hack, says millions of passport numbers were stolen

The data of as many as 383 million travelers could have been compromised in a breach of Marriott’s Starwood Preferred Guest (SPG) database. After originally sharing information about the breach in November, the company released updated information on January 4, with fewer guests affected but some unencrypted passport numbers involved the breach. Marriott says an internal security tool recently alerted the company to the breach, but an investigation showed the unauthorized access began in 2014. The breach only includes the Starwood Preferred Guest loyalty program — guests who booked at a Marriott-owned property from another booking platform were not affected.

Marriott originally estimated that as many as 500 million guests may have had data compromised by the breach, though the company hasn’t yet completed the investigation. That number is now lower, with the company estimating as many as 383 million affected. For some guests, Marriott says payment card numbers and expiration dates were compromised. That payment data was encrypted, Marriott says, but the investigation hasn’t yet determined if the components needed to decrypt the data were also compromised.

Recommended Videos

Now, Marriott also says that around 5.25 million unencrypted passport numbers were also stolen, along with more than 20 million encrypted numbers. The company also says that payment information was only compromised for a small percentage of those affected by the breach  — around 8.5 encrypted numbers were affected, but a majority of those cards have already expired.

Please enable Javascript to view this content

The company shared in November that around 327 million guests had non-payment-related data compromised, which can include their name, mailing address, phone number, email address, passport number, SPG account data, birth date, and gender, along with details like arrivals and departures, reservation dates, and communication preferences. Other guests had more limited data compromised, such as name, email, and mailing address, the company says.

“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and chief executive officer, said in a press release. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

The breach affected accounts using the SPG platform between 2014 and September 10, 2018. Marriott says affected guests were notified by email, and the call center can help guests determine if their passport numbers were part of the breach. The company is also offering a dedicated website and call center for affected users, as well as a free year of WebWatcher. The breach was also reported to law enforcement agencies.

“Today, Marriott is reaffirming our commitment to our guests around the world,” Sorenson said. “ We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

The SPG breech joins other recent data hacks inside the travel industry, including those affecting Orbitz, British Airways, and Cathay Pacific.

What can you do to protect yourself?

This incident is particularly severe because it includes the possible loss of payment card numbers, expiration dates, and other payment data. This data was encrypted, but that doesn’t mean it’s safe. Even the loss of address and phone number information is significant since it can be used to help criminals defraud victims.

Vivek Lakshman, vice president of Innovation at biometric security company ThumbSignIn, sees a reason for concern. “This is huge in its depth of knowledge about the customer and the reach of millions of customers,” he said. “If the information reaches the dark web, as it happens with other breaches, it can get to other hackers and can have a cascading impact on consumer accounts.”

If you’ve stayed at Marriott lately, or are otherwise worried that your data was compromised, you can protect yourself by using the usual methods. According to Lakshman, that includes changing your passwords, enabling two-factor authentication, and signing up for the Webwatcher service that Marriott has offered. You can take an even more extreme, and effective, step by freezing your credit. This will prevent criminals from using the compromised information to open new lines of credit in your name.

What will the consequences be for Marriott? That’s hard to say. Lakshman told Digital Trends that “apart from massive loss of customer trust, there are likely government fines for Marriott.” Yet he seemed skeptical that these fines will be substantial, adding that “[…] with the rate of breaches happening, even this will pass and be forgotten from consumer memory in a few years.”

Updated January 4, 2019: Added updated data from Marriott. 

Hillary K. Grigonis
Hillary never planned on becoming a photographer—and then she was handed a camera at her first writing job and she's been…
Dashlane simplifies digital credential management for people, teams and businesses
Dashlane credential management tool for teams featured image

Have you ever considered a credential management tool for your team or business? Allow me to explain. When it comes to digital and online safety, something you hear often is never to share your credentials, account details, or passwords with anyone. You're not supposed to share account details or passwords, even with people you know well. That's not necessarily because they can't be trusted, it's more that you never know how someone else will handle your sensitive information. If they stow it somewhere easily accessible, like in a plain text document on their desktop, it weakens your security and makes your accounts more vulnerable. Plus, there’s no telling who they’ll share that information with.

Keeping your logins to yourself is also how you’re advised to protect professional or business accounts in the workplace. But it makes things more difficult, especially when you’re working with a team. Sometimes, you need tool or platform logins to be available to everyone. There is a much better way to administrate password sharing, and most importantly, it doesn’t compromise security. The answer is a digital credential management tool like Dashlane.

Read more
Thanks to Squarespace Refresh website building has never been more intuitive
squarespace refresh makes web building intuitive featured image

When it comes to building and designing your own website, from scratch, there is a lot of trial and error involved. Believe me, I've been there. But what's more important as an entrepreneur and when you're trying to present your business, big or small, is that the presentation has to be decidedly professional. It needs to be attractive and user-friendly, with easy access to everything that's most important for your business. Whether that's a section to browse available products, checkout, learn more about you and the team, or something else entirely. It's a lot of work and requires a lot of time invested. It's so much easier to have a templatized and convenient builder handy.

That's precisely where you can turn to something like Squarespace, which makes it so much easier to build the website of your dreams. But even more exciting is Squarespace's 2024 Refresh announcement. A product showcase, the brand says it creates a "new era for entrepreneurs." From new design tools with AI-powered features to enhanced business solutions to bring your business websites to the next level, the goal is to elevate your experiences and those of your visitors or customers. Let's take a closer look.

Read more
The 10 best VPN services for 2024, reviewed by experts
Surfshark VPN on Mac protecting user data.

You rely on the internet to stay connected to friends, family, and coworkers, monitor the news, shop, pay bills, and more. That makes privacy and security more important than ever, and a virtual private network (VPN) is one of the easiest, cheapest, and most effective ways to hide your location and safeguard your online activities from unwanted network intruders.

But if you're having trouble choosing the right VPN service for your budget and security needs, don't worry: We can help. Below, you'll find a list of the best VPNs around. Our comprehensive guide to the best VPN services covers pricing, features, and all the information you need to make an informed decision.

Read more