One of the largest hotel chains in the world announced Friday that the personal information of up to 500 million guests may have been stolen after its reservations database was hacked.
Marriott International said that guests who made reservations with its Starwood properties on or before Sept. 10 may have had their information compromised. Among the hotels under the Starwood brand are Sheraton, Westin and St. Regis.
What was stolen?
The database included information tied to as many as 500 million guests, Marriott said. For about 327 million of the guests, hackers had access to names, addresses, phone numbers, email addresses and passport numbers. The hackers could also see loyalty program account information, dates of birth, gender and reservation information.
The hotel said that the database also contained encrypted credit card numbers for some customers and that it can’t rule out that the hackers stole information that could decrypt and reveal those numbers.
For the remaining customers, the information stored in the database included their names and, for some, addresses, email addresses and other information, Marriott said.
What should I do?
If you made a reservation with a Starwood hotel on or before Sept. 10, the information you shared may have been stolen, the hotel said.
Starting Friday, Marriott said it will begin sending emails on a rolling basis to affected guests who have shared their email addresses with Starwood. Marriott has cautioned customers to stay vigilant as they look for this email because malicious actors may try to pose as Marriott.
On an FAQ page, Marriott listed the official email address from which it will send the notification. The hotel said:
[W]hen other companies have provided notifications like this, other people used it to try to trick individuals into providing information about themselves through the use of links to fake websites (phishing) or by impersonating someone they trusted (social engineering). Please note that the email you may receive from us will not contain any attachments or request any information from you, and any links will only bring you back to this webpage.
Marriott has also put up a dedicated website and directed customers to a cell center to ask questions.
How do I sign up for fraud monitoring?
Marriott said it is offering customers a fraud monitoring service at no cost for one year. It said WebWatcher monitors websites where personal data is shared and alerts customers if their information is found. People can enroll in WebWatcher through Marriott’s dedicated website.
What happens next?
Marriott has directed customers to monitor their loyalty program, Starwood Preferred Guest, for suspicious activity. Customers should also review their credit card statements and look out for unauthorized purchases, the hotel said.
Marriott said it will not ask customers to provide their password by phone or email and told guests to stay vigilant against phishing attempts in the wake of the data breach.