About 500 million Starwood guests may have had their information stolen in a data breach, Marriott International announced Friday.
The company said there was a data security incident involving the Starwood guest reservation database, affecting guest information with reservations at Starwood properties. The affected brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels.
Marriott – which bought Starwood hotels in 2016 – said the unauthorized access has been going on since 2014, and that the breach affects customers who made bookings on or before Sept. 10, 2018. The hospitality giant concluded there was a breach on Nov. 19 following a more than two-month investigation that began after Marriott received an alert about an attempt to access the Starwood database in the U.S.
For approximately 327 million of these guests, Marriott said the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For others, the information also includes payment card numbers and payment card expiration dates. While this information was encrypted, it’s possible that the hackers also took the information necessary to decrypt them.
Marriott will begin sending emails on a rolling basis, starting today, to affected guests whose email addresses are in the Starwood guest reservation database.
For concerned guests, Marriott established a dedicated website (info.starwoodhotels.com) and call center to answer questions about the incident. The call center is open seven days a week and is available in multiple languages.
Marriott said it is also providing guests with the opportunity to enroll in WebWatcher, free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.