Marriott International announced Friday a massive data breach that exposed the personal details of up to 500 million guests.
The breach affected the Starwood Reservation Database, which is owned by Marriott. That means guests who have stayed at a Starwood property on or before September 10 may have been affected. The Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Aloft Hotels, among others.
“I don’t know information has been compromised of mine, but probably my name is somewhere out there,” said Wesley Mann of Manhattan.
The data breach first happened in 2014, according to Marriott.
“That long ago?,” asked Carol Reiss, also of Manhattan. “So our data’s been out for that long? Why weren’t they compelled to notify everyone?”
It wasn’t until September that the breach was detected and then it took months for the company to confirm that the Starwood Reservation Database was compromised.
For more than 300 million, the exposed information includes names, addresses, reservation information, birthdates, gender, passport numbers, and phone numbers. Experts say that information helps hackers target and scam guests.
“Millions of people are going to get phishing phone calls from someone that appears to work for the Marriott,” explained Paul Oster, CEO of Better Qualified. “’We’re going to offer you one free night at any Marriott in the world. All we need is some credit card information for incidentals,’ and you’ve just become a victim of this data breach.”
And for some guests, the hacked information also includes encrypted data about credit card numbers and expiration dates, and Marriott says the hackers maybe able access that too.
“Go through all of your accounts at this point in time, and I’m not talking about just the big ticket items. You have to go through every transaction and verify the transaction,” said Oster.
Starting Friday, Marriott is emailing all people who may have been affected and offering one year free of Web Watcher, a service that monitors internet websites that exchange personal and private information. The company will also offer free fraud consultation services to those from the United States.
“[That’s] literally zero comfort,” said Mann. “It’s just one more service that’s going to get breached.”
Oster advises that people shouldn’t wait for corporate responsibility. Whether from the Marriott data breach or a prior one, Oster explained that information about most people is likely already exposed. The best course of action is to protect yourself now: change your passwords; study all account statements, including bank and retirement accounts; issue a fraud alert on your credit; and, if you can, issue a security freeze on your credit so no one can take out new credit in your name.