—Another data breach, this time at Marriott’s Starwood brand, has reignited privacy concerns after the company recently announced that 500 million guests had their information accessed.
As a way to help those affected, Marriott says that it has set up a process to help those who believe their passports and other personal information could be affected.
Marriott says it will pay for new passports ‘if fraud has taken place’
“If through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs of getting a new passport,” a spokesman for the hotel told Marketwatch.com.
The company also said that customers will be offered free identity theft software. Marriott has set up an website — Answers.Kroll.com — for answers regarding the data breach. The company also lists call centers to take customers’ questions.
Marriott has not said what the reimbursement process will entail or how to submit receipts and/or other documents. To replace a passport booklet, it costs $110, while a passport book and card will set you back $140.
The massive hack at the world’s largest hotel group may turn out to be one of the biggest data breaches ever, according to multiple news reports.
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotel, as well as Starwood branded timeshare properties.
Marriott: 500 million users exposed in Starwood data breach
Marriott said that it was first notified of a cybersecurity incident on September 8, when it received an alert from an internal security tool that someone was trying to access the Starwood guest reservation database in the United States.
During a subsequent investigation, the company learned that “there had been unauthorized access to the Starwood network since 2014,” including the personal information being copied and encrypted. Marriott said days later it was able to decrypt the info.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” Marriott said in a statement. “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
Marriott says they established a dedicated website to answer questions about this incident.
Steps you can take if you think you might have been impacted by the breach
In addition to enrolling in WebWatcher if it is available in your country, below are some other steps you can take, according to Marriott.
- Monitor your SPG account: Be on guard against any suspicious activity.
- Change your password regularly: Do not use easily guessed passwords. Do not use the same passwords for multiple accounts.
- Review your payment card account statements: Look for unauthorized activity and immediately report unauthorized activity to the bank that issued your card.
- Don’t fall for ‘phishing’: Be vigilant against third parties trying to gather information by deception (commonly known as “phishing”), including through links to fake websites. Marriott will not ask you to provide your password by phone or email.
- Been scammed? Report it: If you believe you are the victim of identity theft or your personal data has been misused, you should immediately contact your national data protection authority or local law enforcement.
The revelations come as the company continues to deal with a strike at many of its marquee properties.
Team Clark will be following developments in this breach closely and will update you as warranted.