Marriott Hotel facade
ElRoi/Shutterstock

Marriott announced one of the largest data breaches today, revealing that information affecting up to 500 million guests who booked a reservation at a Starwood property may have been compromised.

“This is one of the most significant data breaches in history given the size — about 500 million people are affected — and the sensitivity of the personal information that was stolen,” says Ted Rossman, industry analyst at CreditCards.com.

For some 327 million of these guests, their name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, and gender are among the data included in the breach. Some may have payment card numbers and payment expiration dates affected as well. Marriott has not been able to rule out whether the components needed to decrypt this encrypted payment data were definitely taken in the breach.

“People should be concerned that criminals could use this info to open fraudulent accounts in their names,” Rossman says.

Marriott and Starwood

Marriott International’s acquisition of Starwood Hotels & Resorts Worldwide was first announced in November 2015. The deal closed in September 2016. Like any merger, especially in the travel industry, merging the two hotel giants’ reward programs has been challenging.

“This appears to be a huge black eye for one of the major hotel giants, which has been facing other challenges when it comes to integrating Starwood brands and operations,” says Mark Hamrick, senior economic analyst and Washington bureau chief at Bankrate.

On September 8, Marriott stated that it received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott learned during that investigation that there had been unauthorized access to the Starwood network since 2014.

“This is just the first iteration of disclosure on what will be a continuing issue, including the financial fallout for Marriott as well as any potential response by regulators and authorities,” Hamrick says. “For consumers, the keys are what they need to know and what they need to do.”

Freezing your credit could help

In September, laws passed in may went into effect requiring each of the three credit bureaus – Equifax, Experian and TransUnion – to allow consumer to freeze their credit for free. While it’s not guaranteed to protect you from any ill effects of the Marriott data breach – or past and future security breaches – it may help protect you if someone tries taking credit out in your name. The security freeze could block such an attempt.

“To guard against criminals opening fraudulent accounts, I recommend freezing your credit,” Rossman says. “It will prevent crooks from opening new credit in your name and can be accomplished for free in just a few minutes by contacting Experian, Equifax and TransUnion.”

What should you do?

First, change your password for the Starwoods rewards program (on the Marriott site).If you use that password anywhere else, change that immediately and consider implementing two-factor authentication on all of your sites and using password vaults to store unique passwords instead of using the same one.

Marriott is providing its guests with the opportunity to enroll in WebWatcher, a service that monitors websites where personal information may be shared, free for one year.

It’s always recommended to monitor your credit. A data breach like this is a good reminder of this. Bankrate provides its readers an opportunity to monitor their credit for free.

Starwood properties include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels and Starwood branded timeshares.

Past data breaches

  • Anthem: 2015 breach affected 80 million patient and employee records, potentially exposing names, dates of birth, Social Security numbers, email addresses, employment information and income data.
  • Ebay: 2014 breach affected 145 million customer account, including personal information.
  • Equifax: 2017 breach potentially impacted 143 million U.S. customers.
  • Home Depot: 2014 breach affected 56 million credit card accounts and 53 million email addresses.
  • Target: 2013 breach affected 40 million credit and debit card accounts, as well as data on 70 million customers.
  • Yahoo: 2014 breach of 500 million Yahoo accounts.