BA

Marriott reveals 500 million Starwood Preferred Guest accounts hacked – dating back to 2014

Links on Head for Points pay us an affiliate commission. A list of our partners is here.

Marriott revealed this morning that it has identified a major breach of security at Starwood Preferred Guest, which Marriott inherited with its 2016 acquisition of Starwood Hotels & Resorts.

Astonishingly, the breach has been in place since 2014.  This means 500 million guest records are involved.

This is not a notional breach.  A Marriott investigation has shown that “an unauthorized party had copied and encrypted information”.

Marriott Starwood data breach

For over 300 million of the impacted guests, the data stolen involves:

  • name
  • mailing address
  • telephone number
  • email address
  • passport number
  • SPG account number
  • date of birth
  • arrival and departure stay information

Some guest have also had payment card numbers and expiration dates stolen, although this data was encrypted.  The bad news is that Marriott is refusing to rule out that the hacker had also stolen details of the two steps required to decrypt this information.

For the other 100 million+ guests, only their name and mailing or email address was stolen.

Marriott will begin sending emails today to affected guests whose email addresses are in the Starwood guest reservation database.

You can see the full Marriott statement on their website here.

On a more thoughtful note …… perhaps it is time to reconsider the whole ‘making your travel experience easier’ routine?  Whilst there are cost savings to be made as part of this, the airlines and hotels have been keen to collect unnecessary personal information now for many years primarily to smooth your journey.

No longer does a hotel check-in clerk need to manually copy out all your passport information, take your home address details and ask for a credit card deposit (at least for elite members).  It is all centrally stored in the system for when you arrive.  Except, when that system is not secure, your personal details are at risk.  Given that it now virtually impossible to secure large corporate networks, companies should – at the very least – remove passport and credit card information from the data we are asked to store with them.

(Want to earn more hotel points?  Click here to see our complete list of promotions from the major hotel chains or use the ‘Hotel Promos’ link in the menu bar at the top of the page.)

Review of the Premier Lounge at Bali (Ngurah Rai International) Airport
Get your HFP Christmas Party tickets at noon today (and at noon tomorrow too!)
Click here to join our email list and receive all of the latest Avios, miles and points news by 6am.

BA
Amazon ad
IHG
BA
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. Great so crooks now have my home address along with a list of dates they know I won’t be home.

    If I am burgled can I take some sort of related legal action against Marriott ?

  2. RIccatti says:

    Very fitting, given that I cannot see my own activity record of past hotel stays because of IT reasons. But someone else apparently can!

    Together with the payment card data…

  3. Announcing the new loyalty scheme, Marriott Bonvoy. Say “bon voyage” to your personal data privacy!

  4. “… it now virtually impossible to secure large corporate networks”
    Having just retired from the information security business, I can categorically state that this is not true. What is true, however, is that spending cash on almost anything else is seen as a lot sexier than securing information; and many – if not most – large organizations are not willing to invest in proper security measures.

  5. So they have allowed crooks to get a neat little list of the dates we won’t be in our homes along with the address of that home !!

Please click here to read our data protection policy before submitting your comment.