Marriott Hotels: 500 Million Data Breach

If you have stayed in one or the following hotels in the last 4 years, it’s very likely that your personal data—and even potentially your passport number—has been stolen and is available to the unscrupulous people so they can use it for a raft of wicked purposes. Along with the Marriott brand, the Starwood hotels group own the following brands:

  • Four Points by Sheraton
  • W Hotels
  • Element
  • Tribute Portfolio
  • Design Hotels
  • Westin
  • St. Regis
  • Le Méridien
  • Aloft
  • Sheraton
  • The Luxury Collection

That covers a lot of hotels both in the US and the whole of Europe for pleasure and business travellers.  I strongly suggest that if you have travelled in the last 4 years you prepare for the worst and be highly vigilant. Assume your data is compromised and be on the lookout for a variety of social engineering attacks.

The incident affects customers who made reservations at Starwood hotels on or before 10 September 2018. Marriott says it discovered the breach on 8 September this year but found there had been unauthorised access to its Starwood network since 2014. If you’re concerned, you can also go to its dedicated help website or phone the UK help centre on 0808 189 1065.

For 327 million people, Marriott says the guests’ exposed information includes their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information. For millions of others, their credit card numbers and card expiration dates were potentially compromised.

As a start, here are three things to look out for over the coming months to protect yourself while travelling

1) Copycat Phishing, Vishing or SMShing

Unfortunately, these situations always create “open season”. This means that various types of cybercriminals are going to jump on the bandwagon whether they actually have access to your compromised account or not. They may threaten that they have your data and unless you pay a ransom, they will share it with others. DO NOT pay any ransom.

Marriott said it will email Starwood Preferred Guests and those who may be impacted by the security breach. It won’t be long before the cybercriminals send out the exact same email but this time it will have malicious links designed to compromise your computer or device and steal more data from you or worse. Do not click on links in these emails or other (social media) communications that appear to have come from Marriott or any of the other Starwood hotels. Most important, DO NOT open any documents that might be attached.

Remember that criminals will use lots of different ways to get through your defences including voice mail messages, robo calls or text messages that claim they are from any of the above hotels. Again, these criminals will have your phone number and possibly a lot of other personal data so don’t be tricked!

2) Spear Phishing

Starwood Preferred Guests accounts have been compromised, which means that both your business and possibly your personal email addresses can be used to fire off emails to, pretending to be from one of the hotels in the group. They have a lot of detailed information so they can create a very convincing and specific email and trick you into either giving up even more information or getting hold of your card or bank account info.  Watch for those emails in your inbox and immediately delete, or report them to your IT team. If you are not sure, phone the hotel directly. Do not use any phone numbers in the email. You can either give us a ring if you are stuck.

3) Check your credit card statements

If you have a credit card then there is a possibility that the criminals have these details. It is not yet confirmed if they do but it is best to err on the side of caution. I strongly suggest that you monitor this statement and perhaps get an alert if you can whenever there is a transaction. Don’t just look at it monthly, it could be too late by then. It may be worth simply requesting a replacement card just to be safe and destroy the old one.

Never use the same password for any financial website, and if you did, immediately change the password on those websites. As a best security practice, always choose a different, complex password for each sensitive account, better yet, use a password manager like LastPass.

“WebWatcher” security monitoring service

Apparently, Marriott is offering victims in the USA, UK and Canada a free, one-year subscription to a Kroll Identity Service called “Web Watcher”. They call this a service that monitors “internet sites where personal information is shared”, meaning they monitor hacking sites on the dark web for compromised data records.

There are two problems with this kind gesture. Apart from too little, too late, you need to fill in all your private details into this monitoring system. It needs this info to monitor the big bad world for your specific data. What if this monitoring system gets hacked? What if the monitoring system you think it legitimate is actually fake and you are entering all your special data right into the criminals’ hands?

It is best to change what you can and look after yourself than rely on the 3rd party. This is my personal opinion.

Printable resources

We suggest you grab this PDF from Knowbe4. Print and laminate it and give it to all your frequent travellers. be they friends or business associates. It’s the whole module summarized on just one page, incredibly handy. Here is the PDF as a free job aid you can give to your employees.


Article Name
Marriott Hotels: 500 Million Data Breach
If you have stayed in one or the following hotels in the last 4 years, it's very likely that your personal data—and even potentially your passport number—has been stolen and is available to the unscrupulous people so they can use it for a raft of wicked purposes.

One comment

  1. Cheers for the info,
    Did receive an email from Starwood Hotels which was written in Chinese or similar so deleted it without opening any links.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.