KAILUA-KONA — The Hawaii Office of Consumer Protection is advising anybody who stayed at a Starwood hotel or timeshare since 2014 to guard themselves against identity theft after Marriott, owner of Starwood Hotels and Resorts, announced a security breach said to have compromised personal information belonging to as many as 500 million people nationwide.
The breach affects hotel brands operated by Starwood before it was acquired by Marriott in 2016 and includes hotel brands like St. Regis, Sheraton, Westin and others, according to the Associated Press. No Marriott-branded chains are threatened.
“With respect to just Hawaii in general: There are going to be thousands of people who are going to be impacted by this,” said Stephen H. Levins, executive director of the Office of Consumer Protection, which is under the state Department of Commerce and Consumer Affairs.
Starwood Hotels Hawaii’s website lists the Sheraton Kona Resort &Spa at Keauhou Bay as its lone Hawaii Island property. There are 12 Starwood Preferred Guest Resort properties across the state, including The Royal Hawaiian and Moana Surfrider.
Personal information exposed by the breach includes passport numbers, mailing address, phone numbers, birth dates and Starwood Preferred Guest account information. It may also include payment card numbers and expiration dates.
Levins said Friday afternoon that his office has opened up an investigation and will be joining with other states’ consumer protection enforcement units.
He added his office will also be speaking to Marriott and their representatives to learn more about the cause behind the breach, what steps they’ve taken in response and how many people have been affected.
Hawaii law requires businesses that collect residents’ personal information to immediately notify them when a security breach is discovered.
Marriott said they began sending emails on a rolling basis on Friday to guests whose email addresses are in Starwood’s database.
Levins urged residents to be on the lookout for phishing emails from accounts posing as Marriott to collect personal information. Marriott said its email will come from [email protected]
If a business notifies more than 1,000 people at once, it’s also required to notify the Office of Consumer Protection in writing “without unreasonable delay” and all consumer reporting agencies.
Levins said Friday he hadn’t yet seen any such notice from Marriott.
“I would anticipate that that’s going to be provided very soon,” he added.
In the meantime, his office is urging residents to take steps to protect themselves against identity theft.
He said those who have stayed at one of the affected hotels could reasonably assume their information has been compromised in some way.
“Whether your credit card has been taken or not, it seems to be not absolutely clear at this point,” he said. “But I would err on the side of caution and make that assumption and seriously think about putting a credit freeze on your credit report or at least a fraud alert on it.”
The Office of Consumer Protection recommended people check their credit reports for any unauthorized entries or accounts, place a credit freeze — or at least a fraud alert — on their files and change login information on accounts with Starwood. If consumers used that username or password with other accounts, those should be changed as well.