Marriott suffers a massive breach of its guest records. Here’s how to protect yourself

Marriott gives update on its hack, says millions of passport numbers were stolen

The data of as many as 383 million travelers could have been compromised in a breach of Marriott’s Starwood Preferred Guest (SPG) database. After originally sharing information about the breach in November, the company released updated information on January 4, with fewer guests affected but some unencrypted passport numbers involved the breach. Marriott says an internal security tool recently alerted the company to the breach, but an investigation showed the unauthorized access began in 2014. The breach only includes the Starwood Preferred Guest loyalty program — guests who booked at a Marriott-owned property from another booking platform were not affected.

Marriott originally estimated that as many as 500 million guests may have had data compromised by the breach, though the company hasn’t yet completed the investigation. That number is now lower, with the company estimating as many as 383 million affected. For some guests, Marriott says payment card numbers and expiration dates were compromised. That payment data was encrypted, Marriott says, but the investigation hasn’t yet determined if the components needed to decrypt the data were also compromised.

Now, Marriott also says that around 5.25 million unencrypted passport numbers were also stolen, along with more than 20 million encrypted numbers. The company also says that payment information was only compromised for a small percentage of those affected by the breach  — around 8.5 encrypted numbers were affected, but a majority of those cards have already expired.

The company shared in November that around 327 million guests had non-payment-related data compromised, which can include their name, mailing address, phone number, email address, passport number, SPG account data, birth date, and gender, along with details like arrivals and departures, reservation dates, and communication preferences. Other guests had more limited data compromised, such as name, email, and mailing address, the company says.

“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and chief executive officer, said in a press release. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

The breach affected accounts using the SPG platform between 2014 and September 10, 2018. Marriott says affected guests were notified by email, and the call center can help guests determine if their passport numbers were part of the breach. The company is also offering a dedicated website and call center for affected users, as well as a free year of WebWatcher. The breach was also reported to law enforcement agencies.

“Today, Marriott is reaffirming our commitment to our guests around the world,” Sorenson said. “ We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

The SPG breech joins other recent data hacks inside the travel industry, including those affecting Orbitz, British Airways, and Cathay Pacific.

What can you do to protect yourself?

This incident is particularly severe because it includes the possible loss of payment card numbers, expiration dates, and other payment data. This data was encrypted, but that doesn’t mean it’s safe. Even the loss of address and phone number information is significant since it can be used to help criminals defraud victims.

Vivek Lakshman, vice president of Innovation at biometric security company ThumbSignIn, sees a reason for concern. “This is huge in its depth of knowledge about the customer and the reach of millions of customers,” he said. “If the information reaches the dark web, as it happens with other breaches, it can get to other hackers and can have a cascading impact on consumer accounts.”

If you’ve stayed at Marriott lately, or are otherwise worried that your data was compromised, you can protect yourself by using the usual methods. According to Lakshman, that includes changing your passwords, enabling two-factor authentication, and signing up for the Webwatcher service that Marriott has offered. You can take an even more extreme, and effective, step by freezing your credit. This will prevent criminals from using the compromised information to open new lines of credit in your name.

What will the consequences be for Marriott? That’s hard to say. Lakshman told Digital Trends that “apart from massive loss of customer trust, there are likely government fines for Marriott.” Yet he seemed skeptical that these fines will be substantial, adding that “[…] with the rate of breaches happening, even this will pass and be forgotten from consumer memory in a few years.”

Updated January 4, 2019: Added updated data from Marriott. 


Millions of real estate records were publicly accessible due to lax security

A major financial services company, First American Corporation, has left millions of records publicly accessible on its servers. The data included bank account details, mortgage records, driver's license images, and Social Security numbers.
Emerging Tech

First, it was San Francisco. Now, the U.K. is fighting facial recognition

The U.K.'s first legal battle over police use of facial recognition has kicked off. The case involves a citizen who alleges the tech was used against him in a breach of his privacy.
Social Media

Millions of Instagram influencers reportedly had private data exposed online

As many as 49 million Instagram influencers have reportedly had their private data exposed in an online database that had no password protection. The database was apparently created by a marketing firm and has been taken offline.
Emerging Tech

Friendly cube robot Bumble passes its first hardware test aboard the ISS

There are some unexpected guests aboard the International Space Station (ISS): cute cube robots called Astrobees. Now the first Astrobee robot has undergone hardware tests to check whether its subsystems are working correctly.

FCC could require carriers to block robocalls. Here’s why they didn’t before

The FCC is considering making legal protections for carriers that want to block robocalls. In the past, carriers were worried about the legal implications of blocking legitimate robocalls, but these new protections could change that.
Social Media

Instagram’s new Explore grid tempts you to open your wallet

Instagram has made some changes to its Explore tab that might tempt you into the occasional shopping spree. It's also planning to add Stories to the grid, mixing them up with the existing photos and videos.

Gmail logs your purchase history, undermining Google’s commitment to privacy

Google has tried to portray itself as privacy-focused. But a new report shows Google tracks many of your online purchases, even if they are bought from a non-Google affiliated store like Amazon.

The 15 best tech jobs boast top salaries, high satisfaction, lots of openings

May may be coming to an end, but the bonanza of tech jobs just keeps coming. High paying jobs abound at companies where people love to work. If you’re not satisfied with your current situation or are ready to make a change, this is a…

FCC chairman and commissioner support the T-Mobile and Sprint merger

T-Mobile and Sprint are getting closer to merging. After a few failed attempts, the two companies announced their merger at the start of 2018. The new T-Mobile could be better positioned to take on the likes of Verizon and AT&T.

GM hits reverse with Maven carsharing as it closes service in eight cities

GM-owned Maven will close its carsharing service in 8 of the 17 North American cities where it currently operates. Competing with the likes of Zipcar and Car2Go, the app-based service offers car rental by the hour or day.
Social Media

Twitter co-founder Ev Williams still wants to save the world

Social media is evil, leading to a mental health crisis in Gen Z and a rise in hate speech. But there’s light at the end of the tunnel, says Ev Williams, the co-founder of Twitter. But weaning ourselves off today's social media won't be…

Many Uber and Lyft vehicles have open safety recalls, report says

A Consumer Reports survey of roughly 94,000 cars registered with Uber and Lyft in New York City and Seattle found that many had open safety recalls. The rate of open recalls was similar to that of personal cars, however.
Social Media

Facebook gets a bad rap, former exec says, but we should break it up anyway

The rise of hate speech, the trolling, the comment on Facebook? Not Facebook's fault, says Alex Stamos, the social network's former chief security officer. But the site should still be broken up, he says.

Sony not giving up on smartphones, but will only focus on 4 regions

Sony says it will not give up on phones, and still considers them indispensable to its business, but will focus on only four regions around the world — Japan, Europe, Taiwan, and Hong Kong.