Marriott has today revealed that its Starwood guest reservation database has been subject to unauthorised access “since 2014”. The scope of the data breach is huge, covering nearly five years and approximately 500 million guests.
The company has created a website to deal with the breach at info.starwoodhotels.com (note that at the time of writing it redirects to answers.kroll.com).
The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk:
If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.
According to Marriott, its Starwood brands include: Starwood branded timeshare properties, W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
What data is at risk?
It seems that different guests may be subject to different levels of exposure, according to how much data they shared. Until you have successfully confirmed your level of exposure with Marriott, you should assume the worst.
Information put at risk by the breach includes “some combination of” name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, payment card numbers and payment card expiration dates.
Although payment card numbers were encrypted, thieves may have stolen the information required to decrypt them.
Marriott has not revealed what events or security failures occurred (it may not yet know), but it has released some details about how it discovered the breach.
The company says that on 8 September 2018 it was alerted to an unauthorised attempt to access the Starwood guest reservation database. Security experts called in to deal with the incident revealed that unauthorised access to the Starwood network started as far back as 2014, two years prior to Marriott’s acquisition of Starwood.
On 19 November 2018, Marriott learned that a recent attempt to encrypt and exfiltrate data from the network had included data from the Starwood guest reservation database.
As you can see from what Marriott has revealed so far, it can be difficult for everyone concerned to tell the difference between data that has been put at risk and data that has actually been stolen.
Until they can confirm otherwise, victims would be prudent to assume they amount to the same thing.
What to do?
Website and call centres
If you think you may be affected, make a point of checking the official breach website regularly, particularly its frequently asked questions section. Remember, it’s likely that Marriott is still learning about the breach and adapting to the situation it finds itself in.
Marriott says it has established a dedicated, multilingual call centre that will be open seven days a week. You can find your local call centre number by clicking on the large Call Centre Information link on the main page of the breach website.
Marriott has begun sending emails to affected guests whose email addresses are in the stolen database. This represents a huge potential opportunity for email scams, so the company has sensibly set out some guidelines to help you identify if an email is genuine:
- The email will come from firstname.lastname@example.org
- It will not contain attachments or requests for information
- It will only link to the official website
Marriott is offering victims in the USA, UK and Canada a free, one year subscription to something it calls WebWatcher, which it describes as a service that monitors “internet sites where personal information is shared”.
Don’t Google it. If you Google WebWatcher you won’t find the monitoring service, you’ll find lots of links to spyware of the same name. Don’t sign up for that!
Do follow the links to country-specific versions of the official breach site. You cannot sign up for monitoring from the main breach page, you have to go to the all-but-identical versions of the page for the US, UK or Canada.
On those pages you’ll find local call centre phone numbers and large, grey (and surprisingly easy to miss) Enroll Now buttons. They link to an enrolment form for Kroll’s ID monitoring service, and they look like this:
- Review your accounts. Review your bank or payment card accounts for suspicious activity, and if you’re a member of Marriott’s Starwood Preferred Guests program, monitor your SPG account for suspicious activity too.
- Beware of scams. Criminals may look to exploit anxious victims with fake websites or phishing emails, messages and phone calls. These may be well disguised so don’t click on any links, and verify anything you encounter by heading directly to the official breach website or calling the official call centre numbers.
- Report ID theft. If you think you’re a victim of identity theft, or if your stolen information has been misused, contact your national data protection authority or local law enforcement.
- Change your password if you have a Starwood Guest Account. If you used the same password on other websites or services, change those too. Choose different, strong passwords for each one.