CLEVELAND, Ohio – Hackers have broken into part of Marriott International’s hotel reservation system and may have stolen personal information for 500 million people worldwide, the company announced Friday.
The data breach involves Marriott’s Starwood brands, which include Sheraton, Westin, Four Points by Sheraton and other chains.
Marriott said the stolen information includes 327 million customer names, along with phone numbers, email addresses, passport numbers, dates of birth, and arrival and departure information.
Credit and debit card information may have been stolen for tens of millions of other customers, Marriott said.
“This is one of the most significant data breaches in history given the size — about 500 million people are affected — and the sensitivity of the personal information that was stolen,” CreditCards.com industry analyst Ted Rossman said in a statement.
He noted that exposure of passport numbers and birthdates is more worrisome than hacking of payment information, which was encrypted and can at least be changed, unlike dates of birth.
Maryland-based Marriott bought the Starwood brand in 2016. Marriott said thieves hacked into Starwood’s reservation database in about 2014. but it was alerted to a problem only in September and figured out the extent of the breach last week.
Consumers who made a reservation at a Starwood property on or before Sept. 10, 2018 may have been affected.
“Any time there is a breach that has gone undetected for this long and affected this many people, it’s very concerning,” Ohio Attorney General Mike DeWine said in a statement. “We’re hoping Marriott will step up to help those affected. We’re also encouraging individuals to take steps to protect themselves.”
People who used debit cards could face bigger risks than those who used credit cards, because thieves with someone’s debit card information can steal money from a checking account. Plus, credit cards carry greater protections under federal law.
If there’s any good news, it’s that Social Security numbers weren’t involved, although SSN’s are already out there for half of the U.S. adult population after last year’s data breach at the Equifax credit bureau.
“Marriott deeply regrets this incident happened,” the company said in a statement, adding that it’s working with security experts and law enforcement.
“We fell short of what our guests deserve and what we expect of ourselves,” Arne Sorenson, Marriott’s president and CEO said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
In a filing with the Securities and Exchange Commission, Marriott said it doesn’t yet know how much this will cost the hotel chain, but said it does have insurance, including cyber insurance.
Marriott said it will start emailing affected customers from this email address: [email protected]
Marriott noted that other thieves undoubtedly will try to take advantage of this breach by sending out fraudulent emails that may appear to be from Marriott, and may use the company’s logo.
“We also want you to be aware that when other companies have provided notifications like this, other people used it to try to trick individuals into providing information about themselves through the use of links to fake websites (phishing) or by impersonating someone they trusted (social engineering),” the company said. “Please note that the email you may receive from us will not contain any attachments or request any information from you, and any links will only bring you back to this webpage.”
The company is offering customers the ability to enroll in WebWatcher free for one year. WebWatcher monitors various online sites that are notorious for sharing or buying and selling personal information. If a person’s information is detected to be in play, the consumer will get an alert. To enroll in WebWatcher, go to info.starwoodhotels.com and click on your country.
Consumers who have questions in the interim can call Marriott at 1-877-273-9481.
U.S. businesses have been hit by a dizzying number of data breaches in the last five years, starting with Target in 2013, and including Home Depot, Sears, Anthem, Equifax, and universities and government offices. Even the IRS said it was hacked in 2015.
Marriott customers who worry their information may have been stolen can take other steps to protect themselves:
* If you used a debit card at a Starwood hotel, get a new one ASAP. If the debit card involved your primary bank account, consider opening a secondary account with little money in it and connecting the debit card to that account.
* Contact the financial institutions where you have accounts. Make sure your contact information is current so the company can reach you if necessary.
* Freeze your credit files with all four credit bureaus. Bad guys don’t necessarily need your SSN to open an account in your name. You can freeze all of your files in about 20 minutes. To freeze or thaw your files by phone, you can reach the bureaus at: Equifax, 800-685-1111; TransUnion, 888-909-8872; Experian, 888-397-3742; Innovis 800-540-2505.
* Put security alerts on your existing financial accounts. Make sure you are signed up to get email or text notifications if there are any transactions outside parameters you set, such as withdrawals above a certain amount, any online transaction, or a balance that falls below a certain amount.
* Get your free credit report from at least one of the bureaus. You can get one free per year per bureau. Stagger your free ones every four months. Call 877-322-8228 or go to www.annualcreditreport.com You’ll be asked to provide your name, address, Social Security number and date of birth. If there’s any inaccurate information on your credit reports, use the dispute process to get the information removed or corrected. Don’t google “free credit report”. You’ll end up on a sleazy site.
* Be hyper-paranoid about unsolicited calls, texts or emails that claim to be from Marriott or your bank or credit card and ask for personal information. Remember that Marriott said all emails will come from this address: [email protected] Never ever provide information to unsolicited inquiries. If someone claims to be from Marriott or your bank or theFBI, look up a phone number independently or call the number on the back of your card or on your account statement. Watch out too for odd calls or letters, such as a rejection for an account you didn’t try to open or a customer service satisfaction survey from a company you didn’t call.
* Monitor your bank, credit card and investment accounts regularly. At least every week, if not every day. Yes, sign up for online access for your account before someone else does.
* If you encounter any issues involving the fraudulent use of your name or information, file an identity theft affidavit with the Federal Trade Commission https://www.identitytheft.gov(it will provide you with pre-written letters to send to creditors) and file a police report. Or call the FTC at 1-877-382-4357. Ohioans can get help with identity theft issues by contacting the attorney general’s office at 800-282-0515 or www.OhioProtects.org.
* Remember that 88 percent of identity theft involves existing accounts. Ask your banks, creditors and investment firms whether you can put additional PINs or verbal passwords on your accounts that don’t involve any public record data such as your date of birth or your mother’s maiden name. You want to make sure someone can’t access your accounts for wire transfers or to change your contact information without your secret password.
* For more information from Marriott, go to http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/ and https://answers.kroll.com