Starwood Preferred Guest Hacked: Half a billion guests affected

It seems travel has become the curse of the season as travel brands are unable to keep their data secure from leaks and data breaches any longer. We heard of the data breach of Cathay Pacific which was not heard of for the longest time. And now turns out Marriott’s Starwood Preferred Guest acquisition is a big risk to their systems too.

Marriott has just released a statement, that they have discovered an unauthorised access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.

Marriott learned during an investigation that there had been unauthorized access to the Starwood network since 2014, leading up to September 8, 2018, when the breach was detected. The company discovered that an unauthorized party had copied and encrypted information.  On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

The company believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.  For approximately 327 million of these guests, the information includes some combination of:

  • Name
  • Mailing address
  • Phone number
  • Email address
  • Passport number
  • Starwood Preferred Guest (“SPG”) account information
  • Date of birth
  • Gender
  • Arrival and departure information
  • Reservation date
  • Communication preferences

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).  There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

Guest Support

Marriott has taken the following steps to help guests monitor and protect their information:

  • Dedicated Website and Call Center: Marriott has established a dedicated website (info.starwoodhotels.com) and call centre to answer questions about this incident. The frequently-asked questions on info.starwoodhotels.com may be supplemented from time to time.  The call center is open seven days a week and is available in multiple languages.  Call volume may be high, and we appreciate your patience.
  • Email Notification: Marriott will begin sending emails on a rolling basis starting today, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.
  • Free WebWatcher Enrollment: Marriott is providing guests WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.

Unfortunately, this courtesy has only been extended to members from UK, USA and Canada.

I’ll update this information as more information appears. But for now, we can’t do much but wait to hear from Starwood / Marriott if we are the unlucky ones or not.

Leave a Reply

Your email address will not be published. Required fields are marked *