- The breach dates back to 2014 and potentially affected 500 million customers.
- Millions of guests potentially had credit card information stolen.
- It's likely the second largest data breach in corporate history.
Have you recently stayed at a Starwood hotel such as a Westin or a St. Regis? If so, you should probably change your Starwood passwords and check your credit card accounts because Marriott International announced Friday that its Starwood guest reservation system has suffered a data breach that potentially exposed the data of about 500 million guests.
It’s likely one of the biggest data breaches in corporate history.
Marriott, which owns Starwood hotels, said it received a security alert in September signaling that a data breach had occurred within its systems in 2014. After conducting an investigation, the company said that an “unauthorized party had copied and encrypted information” from its Starwood database.
For about 327 million guests, the exposed information includes a combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, birthdate, gender, arrival and departure information, reservation date and communication preferences. Millions of other guests potentially had their credit card numbers and expiration dates stolen, though this information would have been encrypted in some form.
“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Starwood hotel brands include Westin, Sheraton, The Luxury Collection, Four Points by Sheraton, W Hotels, St. Regis, Le Méridien, Aloft, Tribute Portfolio and Design Hotels. Marriott has set up a website to address questions potentially affected customers might have.
The attorneys general of Maryland and New York said they plan to open investigations into the breach. Shares of Marriott stock were down about 7 percent on Friday afternoon.
What you can do to protect your data
If you’ve stayed at a Starwood hotel in the past few years, it’s definitely a good idea to change any passwords you have tied to a Marriott or Starwood account, and also to verify that there’s been no strange activity on the card you used to pay for your trip.
As far as what you can do to protect yourself against future data breaches, NBC News’ Jeff Rossen, an investigative reporter, advises people to sign up for two-step authentication on services that use credit cards, and to set up fraud alerts with your bank or any business that has your private information.
The biggest data breaches in history
The Marriott breach is likely the second largest corporate data breach ever, second only to a 2013 breach that affected roughly 3 billion accounts tied to Yahoo and its brands. Hackers have various motivations for stealing big caches of data, but chief among them is the intent to steal identities by stitching together a target’s personal information: social security number, credit card numbers, birthdate, etc.
A chart from Trend Micro shows the biggest data breaches to date, excluding the attack announced today.