CBSN

Marriott data breach hits 500 million guests – here's what the hackers got

Last Updated Nov 30, 2018 1:44 PM EST

Marriott has disclosed a massive data breach for about 500 million guests who booked reservations at its Starwood properties. The number of people involved in the hacked reservation database makes it one of the largest ever cyberattacks on a company.

The hotel giant said in a statement that it discovered "unauthorized access" to the database dating back to 2014. The hacker had copied and encrypted information and "took steps toward removing it," Marriott said. 

The hack impacts up to 500 million guests who made reservations at a Starwood hotel, which includes Sheraton and Westin hotels. For about 327 million of that number, the compromised information includes data such as names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. 

"This is one of the most significant data breaches in history given the size — about 500 million people are affected — and the sensitivity of the personal information that was stolen," said CreditCards.com industry analyst Ted Rossman. 

In some cases, payment card numbers and expiration dates were also taken, but Marriott said it's unclear whether the hackers have information to decrypt the payment card numbers. 

Some security experts said the breadth of the data involved presents problems for consumers, especially with loss of sensitive data such as passport information. 

"Its impact on the victims is much greater than the numbers reveal," said John Gunn, chief marketing officer of cybersecurity company OneSpan. "It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport."

The New York Attorney General's office said in a tweet that it has opened an investigation into the breach. "New Yorkers deserve to know that their personal information will be protected," the office said. Other state attorneys general also said they planned to investigate, including Maryland and Pennsylvania.

Marriott shares fell $6.50, or more than 5 percent, to $115.34 in early trading on Friday. 

Calls for new laws

The breach prompted some lawmakers and security experts to call for new laws to strengthen consumer protections and privacy standards. 

"Rather than accepting this trend as the new normal, this latest incident should strengthen Congress's resolve," Sen. Mark Warner, D-Virginia, tweeted. "And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses."

Marriott's response

Marriott has set up a website for consumers affected by the hack, at info.starwoodhotels.com, and a call center. "Call volume may be high, and we appreciate your patience," the company said. 

Marriott also said it is providing free enrollment in WebWatcher, a company that monitors internet sites where personal information is shared, to alert consumers if their data is found there. (U.S. customers can click here to enroll in the service.) 

Are you affected by the breach?

Anyone who made a reservation on or before September 10, 2018, at a Starwood property could be affected, Marriott said. The company said Marriott properties use a separate reservation system and that its investigation found only the Starwood network was breached.

Which hotels are Starwood properties? 

Starwood properties include: 

  • W Hotels
  • St. Regis
  • Sheraton Hotels & Resorts
  • Westin Hotels & Resorts
  • Element Hotels
  • Aloft Hotels
  • The Luxury Collection
  • Tribute Portfolio
  • Le Méridien Hotels & Resorts
  • Four Points by Sheraton 

It also affects all the Design Hotels that participate in the Starwood Preferred Guest program. Starwood branded timeshare properties are also included.

Marriott: Beware of "phishing"

The hotel chain said it will send emails to guests whose data may have been stolen, but warned consumers that fraudsters may send so-called phishing emails that look as if they were sent by Marriott and try to elicit information. The official email will come from starwoodhotels@email-marriott.com, the company said.

Experts: What steps to take

Fraudsters could open fake accounts in consumers' names using the information held by the Starwood database, Rossman of CreditCards.com said. 

"To guard against criminals opening fraudulent accounts, I recommend freezing your credit," he said. "It will prevent crooks from opening new credit in your name and can be accomplished for free in just a few minutes by contacting Experian, Equifax and TransUnion."