Marriott says Starwood data breach could affect 500 million guests

If you have stayed at Marriott, you might want to be extra-vigilant on your credit cards and identity usage for the next 6 months.

Are you affected by the breach?

Anyone who made a reservation on or before September 10, 2018, at a Starwood property could be affected, Marriott said. The company said Marriott properties use a separate reservation system and that its investigation found only the Starwood network was breached.

Marriott has disclosed a massive data breach for about 500 million guests who booked reservations at its Starwood properties. The number of people involved in the hacked reservation database makes it one of the largest ever cyberattacks on a company.

The hotel giant said in a statement that it discovered “unauthorized access” to the database dating back to 2014. The hacker had copied and encrypted information and “took steps toward removing it,” Marriott said.

The hack impacts up to 500 million guests who made reservations at a Starwood hotel, which includes Sheraton and Westin hotels. For about 327 million of that number, the compromised information includes data such as names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

“This is one of the most significant data breaches in history given the size — about 500 million people are affected — and the sensitivity of the personal information that was stolen,” said industry analyst Ted Rossman.

In some cases, payment card numbers and expiration dates were also taken, but Marriott said it’s unclear whether the hackers have information to decrypt the payment card numbers.

Some security experts said the breadth of the data involved presents problems for consumers, especially with loss of sensitive data such as passport information.

“Its impact on the victims is much greater than the numbers reveal,” said John Gunn, chief marketing officer of cybersecurity company OneSpan. “It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport.”

The New York Attorney General’s office said in a tweet that it has opened an investigation into the breach. “New Yorkers deserve to know that their personal information will be protected,” the office said. Other state attorneys general also said they planned to investigate, including Maryland and Pennsylvania.

Marriott shares fell $6.50, or more than 5 percent, to $115.34 in early trading on Friday.

Calls for new laws

The breach prompted some lawmakers and security experts to call for new laws to strengthen consumer protections and privacy standards.

“Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’s resolve,” Sen. Mark Warner, D-Virginia, tweeted. “And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

Marriott’s response

Marriott has set up a website for consumers affected by the hack, at, and a call center. “Call volume may be high, and we appreciate your patience,” the company said.

Marriott also said it is providing free enrollment in WebWatcher, a company that monitors internet sites where personal information is shared, to alert consumers if their data is found there. (U.S. customers can click here to enroll in the service.)

Which hotels are Starwood properties?

Starwood properties include:

  • W Hotels
  • St. Regis
  • Sheraton Hotels & Resorts
  • Westin Hotels & Resorts
  • Element Hotels
  • Aloft Hotels
  • The Luxury Collection
  • Tribute Portfolio
  • Le Méridien Hotels & Resorts
  • Four Points by Sheraton

It also affects all the Design Hotels that participate in the Starwood Preferred Guest program. Starwood branded timeshare properties are also included.

Marriott: Beware of “phishing”

The hotel chain said it will send emails to guests whose data may have been stolen, but warned consumers that fraudsters may send so-called phishing emails that look as if they were sent by Marriott and try to elicit information. The official email will come from, the company said.

Experts: What steps to take

Fraudsters could open fake accounts in consumers’ names using the information held by the Starwood database, Rossman of said.

“To guard against criminals opening fraudulent accounts, I recommend freezing your credit,” he said. “It will prevent crooks from opening new credit in your name and can be accomplished for free in just a few minutes by contacting Experian, Equifax and TransUnion.”


Did they use Yahoo Mail? Just asking.

Probably hired someone with a degree in Music to be in charge of their cyber-security division


This was discovered September 8 but just publicized November 30? I find that to be really troubling. What damage could’ve been done to consumers during that time period? It inhibits our ability to take steps to protect ourselves. They should be forced to pay out on this one. I’m tired of receiving the free year of identity protection. I’ve got that enough times and it’s useless. Time for class action.



It could have been as bad as Yahoo, who last time said “…errm, you should all change your passwords. Especially if you haven’t done so for a year!”

…and in the UK it seems that the ISP TalkTalk keeps getting hacked every couple of years and always on the SQL database package. You might think they would have swapped DB providers by now.

I agree, why did it take so long to make this public?

I haven’t stayed in a Marriott for many years, so won’t affect me or my family, but millions of others could have their personal and financial information compromised.

I’ve always heard good things about Marriot. I generally don’t have a hotel preference when I travel - price is my preference. This though seems a little too crazy to be accurate. How did the Starwood chain within Marriot have 500 million guests? I don’t even see how that’s possible.