The Data Breach of the Year — and How to Protect Yourself in the Future
As many as 500 million people may have been affected
Travelers leaving town this Christmas holiday may want to rethink their hotel accommodations — amid potentially one of the largest breaches of consumer data ever.
Marriott International, the world’s biggest hotel chain, announced Friday that the sensitive personal information of as many as 500 million guests may have been compromised as part of a breach of its Starwood guest reservation database.
The company has since issued the following statement: “Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database.”
It continued, “The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before Sept. 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.”
The statement went on to say: “For about 327 million of the guests, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” said CEO Arne Sorenson, according to reporting from CNN.
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, among others — and numbers more than 6,700 properties worldwide.
The Marriott hack is one of the largest data breaches ever disclosed, measured by the number of individuals potentially affected. Only a 2013 breach of Yahoo that affected three billion people may be bigger. https://t.co/g0KaPLtcz6
— The Wall Street Journal (@WSJ) December 1, 2018
— CNN (@CNN) November 30, 2018
Brian Frosh, the attorney general of Maryland, where Marriott is headquartered, tweeted that his office was launching an investigation into the breach.
“The Marriott data breach is one of the largest and most alarming we’ve seen,” Frosh tweeted. “My office is launching an investigation to find out the circumstances that led to the breach and its impact on consumers.”
In the meantime, Marriott has taken action to help guests monitor and protect their personal information — including setting up a dedicated call center to answer any questions related to the incident.
It’s also providing guests the opportunity to enroll — free of charge for a year — in WebWatcher, a digital security service.
WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found, according to Marriott’ statement.
Still, that may not be enough.
Some guests may have had their credit card information stolen.
And while that data would have been encrypted, Marriott said it can’t rule out that the information may have been decoded, NBC News is reporting.
Elizabeth Economou is a former CNBC staff writer and adjunct professor. Follow her on Twitter.