Marriott reveals 500 million Starwood Preferred Guest accounts hacked – dating back to 2014

Links on Head for Points pay us an affiliate commission. A list of our partners is here.

Marriott revealed this morning that it has identified a major breach of security at Starwood Preferred Guest, which Marriott inherited with its 2016 acquisition of Starwood Hotels & Resorts.

Astonishingly, the breach has been in place since 2014.  This means 500 million guest records are involved.

This is not a notional breach.  A Marriott investigation has shown that “an unauthorized party had copied and encrypted information”.

Marriott Starwood data breach

For over 300 million of the impacted guests, the data stolen involves:

  • name
  • mailing address
  • telephone number
  • email address
  • passport number
  • SPG account number
  • date of birth
  • arrival and departure stay information

Some guest have also had payment card numbers and expiration dates stolen, although this data was encrypted.  The bad news is that Marriott is refusing to rule out that the hacker had also stolen details of the two steps required to decrypt this information.

For the other 100 million+ guests, only their name and mailing or email address was stolen.

Marriott will begin sending emails today to affected guests whose email addresses are in the Starwood guest reservation database.

You can see the full Marriott statement on their website here.

On a more thoughtful note …… perhaps it is time to reconsider the whole ‘making your travel experience easier’ routine?  Whilst there are cost savings to be made as part of this, the airlines and hotels have been keen to collect unnecessary personal information now for many years primarily to smooth your journey.

No longer does a hotel check-in clerk need to manually copy out all your passport information, take your home address details and ask for a credit card deposit (at least for elite members).  It is all centrally stored in the system for when you arrive.  Except, when that system is not secure, your personal details are at risk.  Given that it now virtually impossible to secure large corporate networks, companies should – at the very least – remove passport and credit card information from the data we are asked to store with them.

(Want to earn more hotel points?  Click here to see our complete list of promotions from the major hotel chains or use the ‘Hotel Promos’ link in the menu bar at the top of the page.)

Review of the Premier Lounge at Bali (Ngurah Rai International) Airport
Get your HFP Christmas Party tickets at noon today (and at noon tomorrow too!)
Click here to join the 13,000 people on our email list and receive the latest Avios, miles and points news by 6am.

Hilton
Amazon ad
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. One time a hotel in India took photocopies of our passports at check in. The next day, as there was no info in the room, we asked at reception what times the restaurant was open. They were kindly written down for us on a piece of paper. On the other side was a photocopy of my wife’s passport. When we complained she just crossed out the passport details and handed us the piece of paper. Just one of many issues we listed in an absolute stinker of a review on TripAdvisor!

    • Shoestring says:

      I distinctly remember quite a few hotels taking my passport off me at check in and leaving it on view in the pigeon hole for my room number behind the reception desk, alongside the passports of all the other guests! You got it back when you checked out.

      Can only have been 20-25 years ago.

      Innocent days (or stupid?)

    • I stayed in a SPG hotel once where their scrap/spare paper had what customers had paid for their rooms on the other side – this was only in 2012. At least I was reassured that I had not over paid compared to other people – and I booked through BA then too.

  2. ankomonkey says:

    Hackers nowadays are pretty smart. Since they’re now using our credit cards, I wonder if they could do us all a favour in return by fixing the various issues with the Marriott/SPG merger IT changes.

  3. Seems like they’ve stolen my dob and not given it back… no recognition of my birthday at Sheraton la Caleta today!

  4. 37 comments on an article about possibly one of the biggest breaches in history versus 120 for the Christmas party!

    “Marriott reveals 500 million Starwood Preferred Guest accounts hacked – dating back to 2014
    30 NOVEMBER 2018 BY ROB 37 COMMENTS”

    “Get your HFP Christmas Party tickets at noon today (and at noon tomorrow too!)
    30 NOVEMBER 2018 BY ROB 120 COMMENTS”

    • Shoestring says:

      Released at quite different times. 8 hr difference?
      Very different subjects – fun vs serious.
      Can boast/ lament about Xmas party tickets – what can you do about data breach apart from moan?

  5. Off topic but hotel related………..Hotels.com reward night expiry……

    I foolishly have two hotels.com rewards nights which will expire very soon and I can not possibly use them in time OR earn a new rewards night in time (in order to extend the expiration).

    Does anyone know if I can do something like this below to essentially extend the expiry and thus not lose them ?

    If I book a stay of 2 nights before the expiry date using my 2 reward nights for a date after the expiry date I know that my nights won’t expire as they are booked to be used. This has been confirmed to me.

    What happens though if I need to cancel that stay later (after the expiry date but within the specific booking cancellation period) because my plans have changed ? Do I lose the 2 reward nights or will they be returned to me renewed and refreshed with another 12 months to use them ??

    Cheers.

    • Just book the cheapest night you can find. Somewhere like Bangkok for £3 a night. The reward night will get extended for a year even if you dont check-in.

  6. Great so crooks now have my home address along with a list of dates they know I won’t be home.

    If I am burgled can I take some sort of related legal action against Marriott ?

  7. RIccatti says:

    Very fitting, given that I cannot see my own activity record of past hotel stays because of IT reasons. But someone else apparently can!

    Together with the payment card data…

  8. Announcing the new loyalty scheme, Marriott Bonvoy. Say “bon voyage” to your personal data privacy!

  9. “… it now virtually impossible to secure large corporate networks”
    Having just retired from the information security business, I can categorically state that this is not true. What is true, however, is that spending cash on almost anything else is seen as a lot sexier than securing information; and many – if not most – large organizations are not willing to invest in proper security measures.

  10. So they have allowed crooks to get a neat little list of the dates we won’t be in our homes along with the address of that home !!

Please click here to read our data protection policy before submitting your comment.