Marriott Is Telling Guests What Data Was Stolen in the 2018 Breach
Just a few months after Marriott unveiled to the world that much of its guest data had been compromised in one of the worlds largest-ever data breaches, guests are now learning what specific information was taken by hackers. Marriott has said that the information of up to 383 million userswas stolen from the Starwood databases in a breach that lasted from 2014 through late 2018.
Personal information like birth dates, addresses, loyalty program numbers and travel details were lifted from Starwood's system, but most notably up to 19 million passport numbers were stolen — information that's incredibly sensitive, and could lead to identity theft.
In mid-February, Marriott released a form that allowed guests to request what parts of their personal information may have been exposed in the breach. On Wednesday, the hotel chain has started sending out the results of the inquiries. TPG Executive Editorial Director Scott Mayerowitz and Senior Writer JT Genter both received a response revealing what Marriott says was stolen. Here's the letter sent to Genter:
Dear John Genter,
We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident. Based on the information you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:
* Birthday (Month and Day Only)
* Address Information
* Primary Email Address
* Primary Phone Number
* Other Phone Information
* Starwood Preferred Guest (SPG) Number
* Starwood Preferred Guest (SPG) Loyalty Status and Balances
* Guest Frequent Traveler Program Information
* Starwood Executive Traveler Number
* Guest Opt-In Preferences
* Email Communication Preferences
* Reservation Details
* Central Starwood Unique Record Locator
* Employed at Starwood (Y/N)
* Record History Information
Where available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com. If you have further questions or requests regarding this information, please contact us through this portal. You will continue to have access to this request for the next 30 days.
Marriott Privacy Center
Results reveal that both Genter and Mayerowitz had large amounts of information taken. Marriott still does not know who was responsible for the attack.
In testimony to the US Senate last week, Marriott CEO Arne Sorenson said that Marriott believes 19 million passport numbers were stolen, and thinks about five million of those passport numbers were unencrypted, making them highly vulnerable to being compromised. Marriott has said it will pay for new passports of travelers who were affected by the data breach. Nine million encrypted credit card numbers were stolen, but only a small percentage of those were unencrypted.
Sorenson added that Marriott is using a third-party service to track the stolen data and so far it believes none of the stolen information has appeared on the internet or dark web. If you were affected by the hack, see TPG's guide on what to do to protect yourself, including using Marriott's third-party tool to track if your information appears anywhere. It's worth noting that Sorenson has said that data of guests' traveling companions were likely compromised too.