AwardWallet receives compensation from advertising partners for links on the blog. Terms Apply to the offers listed on this page. The opinions expressed here are our own and have not been reviewed, provided, or approved by any bank advertiser. Here's our complete list of Advertisers.
Marriott revealed today that it has suffered a huge data breach which may compromise the data of up to 500 million guests who had booked a reservation with a Starwood property prior to September 10, 2018.
What Happened?
The timeline is even more shocking than the sheer number of members affected. Marriott’s investigation determined that the unauthorized access and removal of guest information has been ongoing since 2014, but it was only discovered in early September 2018.
Marriott confirmed in a statement that:
“The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
The full scope of the breach is still uncertain, but Marriott believes the hacked database contains information on up to 500 million guests. For approximately 327 million guests, the data includes some combination of name, mailing address, phone number, email, passport number, date of birth, gender, and reservation details.
To make matters worse, Marriott has not been able to rule out the possibility that some members' credit card details have also been compromised.
Marriott CEO Arne Sorenson issued an apology to members, saying:
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott has confirmed that it is cooperating with law enforcement’s investigation of the data breach and has begun the process of notifying the regulatory authorities.
Not surprisingly, Marriott's stock plummeted nearly 6% in early trading after announcing the breach. Once the true size of the breach is confirmed, experts believe it will be the second or third largest hack in history, after the 2013 hack of Yahoo, which compromised the details of three billion customers.
How Can You Protect Yourself?
Marriott has created an informational website and set up a dedicated call center to provide updates and assistance to members.
If you made a reservation with any Starwood property prior to September 10, 2018, Marriott is offering one year of free access to WebWatcher—a service that alerts you when your personal information is found in places it doesn’t belong on the web.
The WebWatcher tool is currently available for residents of the United States, Canada, and the United Kingdom via this signup page.
Although there is currently no evidence that fraudulent redemptions are being made from member accounts, this is a great time to review your AwardWallet notification settings.
AwardWallet can notify you when points are redeemed from one of your connected accounts, or when travel reservations are created or modified. To set up alerts, just check the boxes for Rewards Activity, New Travel Reservations, and Changes to Travel Reservations.
Source: CNN Business
The comments on this page are not provided, reviewed, or otherwise approved by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.
Things like these keep happening over and over again. Use the old method a girl will use when she does not like a guy – give him a made-up phone number. Scramble the data, give the crooks a wrong phone number, wrong address, wrong credit card number and let them deal with the mess. Nobody will buy their information if fit is not useful.
They still haven’t righted this ship, have they? Perhaps an update is in order.
Wish they would do a better job at protecting info. Most cards would have you covered. Just frustrating and way to common today.
Frustrating to be part of yet another data breach, when will we get some protection and compensation for these types of things. It seems they can sit on the information for months, then finally disclose only when forced. I think if they were required to compensate, things would tighten up significantly.
The ineptitude of major corporations regarding data security never ceases to amaze.
worth signing up for the web watcher service if you are eligible
seems like almost everyplace is getting hacked nowadays
and for notifications to be years late
it is too late to even change anything
we have been tracked for years, the internet make it all easy for hackers
So far their communication has been woefully inadequate, but I figure my data is already online somewhere and act accordingly.
With all of these breaches it seems likely that most data is already out there.
It’ll be interesting how this affects M&A and various deals as a whole moving forward. Imagine several year liabilities or escrow holds on specific amounts of funds upon deal close for situations like this. It’s one thing if the seller wasn’t aware, but a whole other situation if the seller was aware of the breach upon sale.
It took until yesterday to send me an email that the Marriott breech includes Starwood;.
This is like the third data breach email I’ve received this week from various companies. At this point, I’m fairly sure there is not much new to steal from my account. Though the passport number bit is new.
I have signed up for WebWatcher, thanks for providing the link!
Big deal, credit monitoring. Companies need to be more responsible. How do things like this go on for years undetected??? It just shouldn’t happen
whoa- nothing is safe online huh?
This is ridiculous and should no longer continue to happen. The simple truth is that most large organizations just consider the limited financial and regulatory consequences of these breaches less expensive than hardening their systems and as such is just the cost of doing business.
Very disturbing that passport numbers are part of the breach…
Horrible news!
In my opinion acting after years it mean they didn’t catch the intrusions.
Fortunately I’m not affected (but I have been affected by the British Airways date breach).
Both data breach are quite dangerous with a lot of data taken and sell in the dark web.
Well this makes one a nervous Nellie. At least we know now and can keep an eye on things. Thank goodness we have AwardWallet! I love getting the alerts when something changes in an account that I have watched.
I can’t imagine the annoyances that people will have to go through if they have been compromised. ugh. I feel for them!
This story keeps happening with different companies, unfortunately.
That can’t be good…
On the other hand, it might be a good time to buy some Marriott stock during this data breach hiccup to get some shares on sale.
It’s not like their hotels are bad places to stay.
This is really, really scary. And I am concerned this is happening elsewhere and the data base owners are just unaware of the situation.
This is what scares me about all these great signups. Will my data be protected? It seems no one is immune anymore, and I have to take the next step precautions (passwords, keeping track of what goes where, and so on) to stay safe.
Has anyone on here discovered that their personal SPG personal data been compromised?
Unless notified by Marriott, how would you discover it?
This is the real question – I guess you just keep an eye out for things?
Lots of data breaches across the travel industry, it’s very worrying that our personal info is at risk.
Sounds like there’s no reason to do anything until you get an email that you are an affected guest.
Has anyone on here seen their SPG personal profile data been compromised?
I’d like to know how anyone could actually tell? And then, I’d be interested in someone proving it wasn’t related to some other data breach.
Thank you for keeping us informed and providing tools to help us protect ourselves!
That’s bad:-(
I guess, after 1 year, nothing can possibly be done with the information. Call any possibly affected credit cards to get a new number.
This is horrible! Data breaching happens so often these days. Hackers can be “Big Brother” if they wish…
Definitely not good news from Marriott.
This has to be one of the largest breaches in the points and miles world. I’m probably going to close out all the cards i’ve used with spg. I understand how fraud on credit cards can be reported you are usually not liable but what if someone ends up stealing your points ? Is there any protection against that ?
If someone steals your points call up the loyalty program — they’ll likely fix it without hesitation.
This seems to be getting pretty common and affecting multiple companies that should have strategies in place to protect data more proactively. Several airlines have had recent breaches notably British Airways a few months ago.
This is so annoying…now I need to update my credit card info and also watch for any suspicious activities.
Thanks for the post though.
You can assume you information is out ther,e and thus there is now a need to mitigate (as oppose to prevent) risk. These monitoring services are good for the consumer from a cost benefit basis (a they are free for victims) but are not really proactive or remediationary in nature. It is a “protect yourself” environment. Look at changing all passwords that are the same as your Marriott one, but dont’t stop there. Be alert and assume you have been compromised and begin that remediation protocol. Why dd it take 5 years to discover?
The least the group can do RIGHT NOW is to award its loyalty program members some bonus points.
I want this too but the scale is so great it would be very inflationary!
I am glad that Award Wallet notifies me of changes to my points. I hate all of these data breaches.
I certainly fall into that group that was affected by the breach. Thanks for the overview of the issue. I will be signing up for the Webwatcher tool.
Just wait, this one will certainly involve a class action lawsuit just like it did when Target was compromised.
That is so scary to have our information out there. I need to check back in my records to see if I stayed in one of their hotels during that time period.
Wow,
This is gonna be a headache.
I gotta call my credit cards and get them changed, then change my subscriptions.
This is not good
Scary stuff, especially the potential for identity theft…
Travel companies really need to do better.
What, to me, at least, is amazing is that Marriott has not reached out to its customers. If they discovered this in September, they certainly have had the time to at a minimum email Rewards members with some type of information. One has to wonder, what are they not telling us?
Yet another reason to switch business away from Marriott. A four year hack that wasn’t discovered until the other day is absolutely mind blowing.
How much worse can it get for Marriott this year? Marriott/SPG program integration problems, redemption devaluations, continual tweaks of member benefits downward and now this. Maybe they’ll throw a few perks out to try to win some of the customers back. I personally haven’t stayed at a Marriott property since the program’s merged back in August.
Thank you so much for the details and how to track the breach!!!
It looks like your personal info will never be safe again… breaches everywhere
I wonder when will the next victim be announced.
This could be a disaster
Maybe time to go back to a cash driven economy. Just kidding. Pays to check all your accounts frequently; someone taking advantage of this information might not actually utilize it for a year or more. Always be vigilant.
No doubt, the reality is one must be vigilant in this hyperconnected digital age. However, I’d much rather apply my limited time for vigilance to award promotions than towards monitoring my accounts for fraud. Shouldn’t be my job frankly.
This is not good news.
The most ridiculous part, to me, is that supposedly the breach had been exploited since 2014! In any event, settings changed, thank you.
Since 2014? damn that is horrible for Marriott. 4 years of this hacking going on
this could be VERY bad….
This is really disturbing news! To think it’s been ongoing for so long!
The memory of the Cathay Pacific data breach is still fresh.
So crooks now have my home address along with a neat list of dates I won’t be home !!
Cheers Marriott / SPG.
Well the Marriott Starwood merger just keeps on giving i see
Holy smokes, this is huge! Obviously it’s going to cost Marriott a big chunk of money to provide free credit monitoring for everyone affected by this but it still seems like there needs to be some way to incentivize companies to proactively prevent data breaches. I don’t know whether that will take gov’t fines or if it will take market devaluation or consumer boycotts but you always do better with the carrot than the stick so it would be great to find a positive way to enforce a data breach regulation like that. If only I were more psychologically creative, sigh…
They’ve got insurance for these types of things — biggest potential impact is customers/loyalty/brand tarnishment — and honestly, I doubt that’ll be anything noteworthy. Look at other companies with big data breaches; did you run from them?
I would have to agree with you… Nothing is 100% Secure…