Personal data of up to 500 million Starwood Hotel customers have been breached, thanks to a malware virus implemented in the hotel chain’s point-of-sale software in 2014.
The hotel giant discovered the four-year-old vulnerability in mid-September when an internal security tool alerted the Marriott team someone was trying to access the Starwood guest reservation database.
Over the last four years, the information stolen from hotel guests range from non-sensitive to highly sensitive user data. Specifically, reports indicate compromised information includes:
- Names
- Date of birth
- Gender
- Mailing addresses
- Phone numbers
- Email addresses
- Reservation information like check in and check out date
- Communication preferences
- Passport numbers
- Starwood Preferred Guest (“SPG”) account information
Marriott, who acquired Starwood in 2016, revealed that some guests affected by the breach may have also had their payment card data stolen, though failed to disclose widespread the issue is.
According to Marriott’s release on the SEC website, “Payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
Who Was Affected by the Breach?
Any guests who stayed at a Starwood-branded property in the past four years was likely affected.
These properties include:
- W Hotels
- St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotels & Resorts
- Four Points by Sheraton
- Design Hotels
This is the second largest breach ever recorded. It ties with a 2014 Yahoo hack that affected 500 million Yahoo users and was surpassed by another Yahoo breach in 2013 when hackers stole the personal details of three billion users.
How Can You Tell if You were Affected?
According to Marriott’s website, the company has increased their guest services to help customers monitor and protect their information:
- The first course of action was to send email notifications, to affected guests starting on November 30, 2018.
- Next, Marriott opened a dedicated call center to answer questions about the breach.
To speak with someone directly about your account, call the contact center immediately.
What Can You do if You Were Breached?
Apart from reaching out to a representative at the Marriott contact center, you can also:
- Take advantage of a free year of WebWatcher enrollment to monitor your personal information and receive alerts if suspicious activity pops up. Find more information here.
- Keep a close eye on your credit profile and bank account to ensure no one is accessing your funds illegally.
- Talk to your bank to let them know you may have been affected by the breach so they can continue to look for suspicious activity.
- Join a class action lawsuit. According to ZDNet, hours after the breach was announced two lawsuits against the hotel chain were promptly filed. The cases may result in a small kickback for those affected.
Finally, it’s always wise to take steps to update your online profiles. Change your passwords to mitigate any further damage.Learn how to create an invisible footprint when it comes to your password generation, to protect yourself from breaches of your personal accounts.