Marriott’s data breach, disclosed at the end of November, compromised 383 million records including 5.25 million unencrypted passport numbers and 8.6 million payment cards. Marriott claims most credit cards were expired which means they have that information, but even though they’re telling me my credit card number was compromised they aren’t telling me the expiration date of the card.
Marriott did let me know that the hack of their systems released my unencrypted passport number as well. Even this information isn’t helpful because they don’t let me know which number or whether or not it’s expired.
And why Marriott was even hanging onto this data in the first place, beyond when it was necessary to complete transactions? Arne Sorenson would have you believe keeping passport numbers on file was to make it easier for you to reserve rooms, blissfully unaware that it is not necessary to input a passport number at Marriott.com in order to make a booking.
Even if Sorenson wasn’t completely making this up, what on earth where they keeping the data unencrypted for? Marriott wants to blame Starwood for this but they have been managing the servers for a couple of years during which time the data has been sitting unencrypted and they’ve largely played coy about the timeline of the breach.
They made an offer to submit your information and find out whether or not your data was included in the data breach. It took over a week for Marriott to respond to me, but readers keep emailing telling me that over two weeks later they’ve heard nothing.
I’ve continued pressing Marriott for a timeline, how long it will take customers who have submitted even more information to them to find out if their data was part of the breach? They’ve finally shared,
Our goal is to respond to guests within 30 days (which is consistent with many regulatory expectations), but we hope to reduce that time as we work through the initial wave of requests. We are prioritizing requests related to unencrypted passport numbers, and anticipate completing those outstanding requests this week.
Thirty. Days. And that’s a ‘goal’.
They want you to know they are not breaking the law (‘consistent with regulatory expectations’) which is apparently their standard for customer service.
Words fail.
Good one, Gary. Keep banging thus drum. Marriott’s handling of this is horrible.
“We are prioritizing requests related to unencrypted passport numbers.”
And how can they do that?
It’s Marriott. They just don’t care.
What about their new draconian cancellation policy that is not disclosed without digging 3 screee in?
How did you contact Bonvoy? Did you contact their social media team? Email them?
What is the best way to contact them and ask if my data was stolen?
I’m going to offer this up not as an excuse for Marriott (as 90% of all my stays are now at Hilton), but as a logical reason they are doing something that on its surface seems so consumer unfriendly:
It is well-known in intelligence circles that this whole hack was related to Anbang’s failed attempt to buy Starwood. The Chinese government literally stole all information that Starwood had on file and is using it for who knows what. Marriott is probably getting huge pressure from Intelligence agencies to let them do their investigating, while also having to deal with irate customers.
Again, not an excuse for the disastrous Marriott merger, but probably puts it into a new light as to why this is likely going on.
So I contacted Starwood/Marriott’s KROLL Call Center and the complete idiots that answer the phones don’t actually know anything. They want all your credit card information and passport numbers to pass on to someone else who will get back to me. I said NO WAY. So after a lot of e-mail back and forth they finally suggested I contact Marriott directly at MarriottDPO@marriott.com
I e-mailed them and they responded immediately saying they will look into it for me (note I never gave them my SPG number or any other personal info).
About 21 days later, I received the following e-mail (below). I never worked at Starwood. Obviously a form letter which still doesn’t answer any questions – just creates more questions. Also it’s hilarious that they refer you to http://www.starwoodhotels.com which itself reverts to Marriott !
Dear xxxxxxxxxx,
We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident.
Based on the information you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:
Name
Company Name
Gender
Address Information
Primary Email Address
Primary Phone Number
Other Phone Information
Encrypted Passport Number
Credit Card Expiration Date
Credit Card Type
Encrypted Credit Card Number
Starwood Preferred Guest (SPG) Number
Starwood Preferred Guest (SPG) Loyalty Status and Balances
Guest Frequent Traveler Program Information
Starwood Executive Traveler Number
Guest Opt-In Preferences
Email Communication Preferences
Reservation Details
Central Starwood Unique Record Locator
Returning Guest Indicator (Y/N)
Employed at Starwood (Y/N)
Record History Information
Where available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com.
If you have further questions or requests regarding this information, please let us know.
Thank you.
Greg Reid
Data Protection Officer
Marriott International, Inc.
10400 Fernwood Road, Bethesda, MD 20817
United States of America
MarriottDPO@marriott.com
They replied to me as well today..
“Dear xxxxxxxxxxxxxxxxxxxxxxx
We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident.
Based on the information you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:”
blah blah blah…