Hackers gained access to the guest database for the Starwood brand of hotels dating back to 2014—affecting a whopping 500 million customers, according to Marriott, the hotel brand's owner.
The Starwood data breach puts customers from around the world at risk of identify theft and fraud: Hackers may have had access to many kinds of Starwood hotel guests' personal information, including passport numbers, phone numbers, date of birth, email and physical addresses, and credit card numbers.
While Marriott says that approximately 500 million Starwood hotel customers have been affected in the data breach, 327 million guests could have had their most sensitive personal information — including passport and payment details — copied by hackers.
Starwood Hotels & Resorts includes popular hotel brands such as Sheraton, Westin, St. Regis, Le Meridien, and W Hotels. The hotel giant Marriott International purchased rival Starwood Hotels in 2016, and the company has been slowly merging the Marriott Rewards and Starwood Preferred Guest loyalty programs.
Marriott says that hackers had access to the Starwood guest reservation database from 2014 through September 10, 2018. The personal information of anyone who made a reservation at a Starwood hotel during this time period could be impacted. The breach affects Starwood Preferred Guest reward members and non-members alike. The company says its investigation did not find any evidence that the personal information of Marriott hotel guests was hacked.
"We are still investigating the situation so we don't have a list of specific hotels" that were affected, Marriott spokesman Jeff Flaherty told Reuters. "What we do know is that it only impacted Starwood brands."
How do you know if the Starwood data breach affects you?
Marriott has hired a security consulting firm, Kroll, to address hotel guests' concerns about the data breach and offer advice on how customers can protect themselves.
Marriott suggests that Starwood hotel guests take the following steps to see if they're at risk and minimize damages:
• Call the Starwood data breach call center to see if you're affected. In the U.S., the number is 877-273-9481.
• Look out for an email from Marriott. The company says it will be sending emails to affected Starwood guests alerting them about the hack, starting today.
• Consider enrolling in Kroll's WebWatcher, a service that monitors websites where personal information is swapped and generates alerts for affected parties. Marriott is giving guests WebWatcher subscriptions for free for one year; it is unclear how much the service costs after that.
• Starwood Preferred Guest customers should monitor their accounts for suspicious activity. All potentially affected hotel guests should change passwords often and review credit and debit cards for charges they didn't make.
Ted Rossman, an industry analyst for CreditCards.com, says Starwood customers affected by the data breach could have more to worry about than unauthorized charges on their existing credit cards. “The names, addresses, passport numbers, and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted," said Rossman. "People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
The Starwood hotels hack is one of the biggest data breaches of all time. As far as we know, only the Yahoo data breach that affected upwards of 3 billion email customers was bigger in scope.