Marriott: Massive security breach compromises info of 500 million guests

This photo taken on January 11, 2018 shows a Marriott logo in Hangzhou in China's Zhejiang province. Authorities in China have shut down Marriott's local website for a week after the US hotel giant mistakenly listed Chinese-claimed regions such as Tibet and Hong Kong as separate countries. / AFP PHOTO / - / China OUT (Photo credit should read -/AFP/Getty Images)

NEW YORK — The Marriott has issued an alert after it says the Starwood guest reservation system was hacked.

The hotel chain said Friday the hack affects its Starwood reservation database, a group of hotels it bought in 2016 that includes the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest program.

The company said on Friday that they initially received an alert that someone was trying to access the Starwood database back in September. While investigating, they discovered that the individual had actually gained access sometime in 2014 and had copied the personal information for some 500 million guests that had stayed at Starwood properties.

For 327 million of those, Marriott said the information that the hacker had access to included combinations of name, mailing address, phone number, email address, passport number, data of birth and gender. For some it also included payment card numbers and their expiration dates.

The Marriott released the following statement:

“Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

The company said anyone who made a reservation at a Starwood property prior to September 11, 2018 could be impacted by the breach. Marriott said they are sending out emails to those affected and will provide them with free enrollment in WebWatcher, a system which monitors websites for your personal information.

In the meantime, here’s what you can do to protect yourself:

1. Change your password

Marriott says guests should change their passwords regularly and pick ones that aren’t easily guessed. For example, instead of a common phrase, choose a combination of four or more unrelated words with numbers, characters and a mix of upper and lower-case letters.

You should also have different passwords for all the services you use.

“Changing your password will just add one more roadblock to a potential hacker getting into your system,” said Aaron Brantly, a cybersecurity expert at Virginia Tech.

2. Monitor your accounts for suspicious activity

Marriott recommends customers keep an eye on their Starwood Preferred Guest account for any suspicious activity. Members should also check their bank, retirement, and brokerage accounts, as well as credit card statements to look for any unauthorized transactions.

3. Open a separate credit card for online transactions

Yair Levy, a cybersecurity and information systems expert at Nova Southeastern University, recommends having a credit card dedicated to online shopping. This makes it easier to track transactions and spot fraudulent activity.

If that credit card is compromised, you also won’t have to update automatic payments for things like bills.

4. Be vigilant

Experts caution internet users to be wary of “phishing” attempts by bad actors looking to steal your data, including through bogus emails, fake links and fraudulent websites. On its informational website about the hack, Marriott reminded members the company will not ask you to provide your password by phone or email.

Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.