Marriott Is Telling Guests What Data Was Stolen in the 2018 Breach

Mar 13, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Just a few months after Marriott unveiled to the world that much of its guest data had been compromised in one of the worlds largest-ever data breaches, guests are now learning what specific information was taken by hackers. Marriott has said that the information of up to 383 million userswas stolen from the Starwood databases in a breach that lasted from 2014 through late 2018.

Personal information like birth dates, addresses, loyalty program numbers and travel details were lifted from Starwood’s system, but most notably up to 19 million passport numbers were stolen — information that’s incredibly sensitive, and could lead to identity theft.

In mid-February, Marriott released a form that allowed guests to request what parts of their personal information may have been exposed in the breach. On Wednesday, the hotel chain has started sending out the results of the inquiries. TPG Executive Editorial Director Scott Mayerowitz and Senior Writer JT Genter both received a response revealing what Marriott says was stolen. Here’s the letter sent to Genter:

Dear John Genter,

We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident. Based on the information you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:

* Name
* Birthdate
* Birthday (Month and Day Only)
* Address Information
* Primary Email Address
* Primary Phone Number
* Other Phone Information
* Starwood Preferred Guest (SPG) Number
* Starwood Preferred Guest (SPG) Loyalty Status and Balances
* Guest Frequent Traveler Program Information
* Starwood Executive Traveler Number
* Guest Opt-In Preferences
* Email Communication Preferences
* Reservation Details
* Central Starwood Unique Record Locator
* Employed at Starwood (Y/N)
* Record History Information

Where available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at If you have further questions or requests regarding this information, please contact us through this portal. You will continue to have access to this request for the next 30 days.

Thank you.
Marriott Privacy Center

Results reveal that both Genter and Mayerowitz had large amounts of information taken. Marriott still does not know who was responsible for the attack.

In testimony to the US Senate last week, Marriott CEO Arne Sorenson said that Marriott believes 19 million passport numbers were stolen, and thinks about five million of those passport numbers were unencrypted, making them highly vulnerable to being compromised. Marriott has said it will pay for new passports of travelers who were affected by the data breach. Nine million encrypted credit card numbers were stolen, but only a small percentage of those were unencrypted.

Sorenson added that Marriott is using a third-party service to track the stolen data and so far it believes none of the stolen information has appeared on the internet or dark web. If you were affected by the hack, see TPG‘s guide on what to do to protect yourself, including using Marriott’s third-party tool to track if your information appears anywhere. It’s worth noting that Sorenson has said that data of guests’ traveling companions were likely compromised too.

Featured image by

Chase Sapphire Preferred® Card

WELCOME OFFER: 80,000 Points


CARD HIGHLIGHTS: 2X points on all travel and dining, points transferrable to over a dozen travel partners

*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.

Apply Now
More Things to Know
  • Earn 80,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $1,000 when you redeem through Chase Ultimate Rewards®. Plus earn up to $50 in statement credits towards grocery store purchases within your first year of account opening.
  • Earn 2X points on dining including eligible delivery services, takeout and dining out and travel. Plus, earn 1 point per dollar spent on all other purchases.
  • Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards®. For example, 80,000 points are worth $1,000 toward travel.
  • With Pay Yourself Back℠, your points are worth 25% more during the current offer when you redeem them for statement credits against existing purchases in select, rotating categories.
  • Get unlimited deliveries with a $0 delivery fee and reduced service fees on eligible orders over $12 for a minimum of one year with DashPass, DoorDash's subscription service. Activate by 12/31/21.
  • Count on Trip Cancellation/Interruption Insurance, Auto Rental Collision Damage Waiver, Lost Luggage Insurance and more.
  • Get up to $60 back on an eligible Peloton Digital or All-Access Membership through 12/31/2021, and get full access to their workout library through the Peloton app, including cardio, running, strength, yoga, and more. Take classes using a phone, tablet, or TV. No fitness equipment is required.
Regular APR
15.99%-22.99% Variable
Annual Fee
Balance Transfer Fee
Either $5 or 5% of the amount of each transfer, whichever is greater.
Recommended Credit

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.