Marriott Releases Way for Users to See If Personal Info Was Part of Massive Data Breach
In November 2018, Marriott revealed that up to 500 million guests' information was stolen from the Starwood reservation guest database in a long-running breach running from 2014 to 2018.
In subsequent weeks, Marriott lowered the estimated number to 383 million unique guests, shared that more than five million unencrypted passport numbers were included in the breach and said Marriott will pay for new passports for those affected. As the investigation continued, signs pointed to China as being the hackers behind the breach.
For months, those who have wondered if their information was part of the breach were simply left hanging. Marriott said that it would start reaching out to customers immediately, but 95% of TPG readers who reported having stayed at a SPG/Marriott property during the breach hadn't received contact from Marriott within a week of the self-imposed contact deadline.
Now, Marriott has finally released a method for guests to see if their information was included in the breach. However, there's a catch: in order to see if your information was exposed, you need to submit your personal data via a web form.
As reported by TechCrunch on Friday, Marriott has partnered with security firm OneTrust to let guests "make a request regarding whether your data was involved." In order to submit the request, you'll need to provide the following information via the web form:
- First Name
- Last Name
- Email Address
- SPG Number (Recommended)
- Last 6 Characters of Passport ID (Recommended)
- Postal Code
Once you've submitted the required data, the form notes that "Marriott will respond to your request as soon as reasonably practicable and consistent with applicable law." The results are not immediate.
Between having to enter personal data via a web form not hosted on Marriott's website and the wait to hear back, I'm assuming that most people are going to pass on this — and rightfully so. However, as I assume that my personal data has already been exposed repeatedly, I went forward with submitting a request at 10:15am ET on Saturday. After filling in the initial form, I received a message:
One More Step!Your identity needs to be confirmed.
Please check your email for confirmation, click confirm and we will start your request.
Once I clicked through the link sent to my email address, I received a message that my request was confirmed and I'd be contacted "shortly" with the results. But, I'm not holding my breath. (No updates received as of publication at 11:30am ET the same day.)
In an update shared on info.starwoodhotels.com (note: that link redirects to answers.kroll.com) on Friday, Marriott confirms that 383 million is "the upper boundary for the total number of guest records that were involved in the incident" as Marriott "concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved." However, some more-specific numbers have now been shared:
- There were approximately 8.6 million unique payment card numbers, all of which were encrypted
- There were approximately 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers