Marriott’s data breach, disclosed at the end of November, compromised 383 million records including 5.25 million unencrypted passport numbers and 8.6 million payment cards. Marriott claims most credit cards were expired which means they have that information, but even though they’re telling me my credit card number was compromised they aren’t telling me the expiration date of the card.
Marriott did let me know that the hack of their systems released my unencrypted passport number as well. Even this information isn’t helpful because they don’t let me know which number or whether or not it’s expired.
And why Marriott was even hanging onto this data in the first place, beyond when it was necessary to complete transactions? Arne Sorenson would have you believe keeping passport numbers on file was to make it easier for you to reserve rooms, blissfully unaware that it is not necessary to input a passport number at Marriott.com in order to make a booking.
Even if Sorenson wasn’t completely making this up, what on earth where they keeping the data unencrypted for? Marriott wants to blame Starwood for this but they have been managing the servers for a couple of years during which time the data has been sitting unencrypted and they’ve largely played coy about the timeline of the breach.
They made an offer to submit your information and find out whether or not your data was included in the data breach. It took over a week for Marriott to respond to me, but readers keep emailing telling me that over two weeks later they’ve heard nothing.
I’ve continued pressing Marriott for a timeline, how long it will take customers who have submitted even more information to them to find out if their data was part of the breach? They’ve finally shared,
Our goal is to respond to guests within 30 days (which is consistent with many regulatory expectations), but we hope to reduce that time as we work through the initial wave of requests. We are prioritizing requests related to unencrypted passport numbers, and anticipate completing those outstanding requests this week.
Thirty. Days. And that’s a ‘goal’.
They want you to know they are not breaking the law (‘consistent with regulatory expectations’) which is apparently their standard for customer service.