Marriott Compounds Their Massive Data Breach, Fails to Deliver on Promises

In the fall Marriott revealed one of the biggest data breaches in history, and certainly the biggest known breach in travel.

In all 383 million records were hacked including 5.25 million unencrypted passport numbers, 8.6 million payment cards (most expired). Marriott has not revealed whether the notes they’ve taken on you were revealed.

Marriott’s CEO said they stored your passports to make life easy for you so you wouldn’t have to keep entering them during the booking process. Which shows he understands about as much about making Marriott reservations as his tech team understands about security.

A week ago Marriott revealed a service to let customers check to see if their data was compromised as part of the breach.

The site required you to enter even more personal information – including your email address, former Starwood Preferred Guest number (do you remember it?), and part of your passport number (what if you’ve renewed since the number Marriott kept on file?). These last two items are optional. Then they make you confirm the email address you provided.

And you wait. And wait. And wait.

After an entire week I had not received a response from Marriott as to whether my account information was compromised. They said the response wouldn’t be instant, but they never said it would take this long.

I have reached out to Marriott multiple times asking whether the process is working as intended, and when consumers should be hearing back. I’ve had to wait, and wait, and wait for that as well — my inquiries have gone unanswered too.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. Why has there not been a class action suit against SPG over this? This is plain negligence. I am not a proponent of frivolous law suits. But, unencrypted highly sensitive data is not acceptable. Maybe a big class action suit would cause Marriott to have to spin SPG off and we could get our favorite hotel program back. Yea, I know, wishful thinking!!!

  2. Don’t feel like “The Lone Ranger” – I am in the same situation.

    I answered their questions and then nothing from them.

  3. So fool me once…….
    AFAIAC anyone who provides MORE info to them given their demonstrated complete and utter incompetence with all things IT and expects competence at this point……. well I have a bridge to sell u cheap 😉

  4. Thanks for following up on this, Gary. I’m afraid that @est has a point about our willingness to buy a bridge, as I’m one of the folks who gave Marriott even more info a week or more ago and has yet to hear anything from the company. Arne Sorenson’s Marriott is following in the footsteps of Jeff Smisek’s United, in terms of the reputation and performance of both the CEO and the company. In the wake of how poorly it handled the original breach, it’s incredibly arrogant and incompetent that Marriott first reached out to customers and then did nothing to follow up.

    Now I’ll put on my political hat, with all due respect to my fellow frequent flyers out there: There was a time when the federal government would have adopted legislation, regulations and/or supervision to prevent and punish such irresponsible corporate conduct. But with Republican control over the presidency, half of Congress and the courts, wishing for such action is a pipe dream.

  5. @steve the data breach occurred and was discovered under the Obsma administration. So why didn’t THEY do something about it? You Trump haters are unbelievable

  6. MR is a sinking boat, I will finish my 9th year as platinum & jump ships.

    @DNN & Rjb No, the real culprit is the global warming.

  7. KTC: Lizzy Warren says we are should get reparations for this Marriott screwup, at least if you are a native american. I wuz born here so I is a native, but if you weren’t born here in america, you ain’t no native american , so no reparations for you!

  8. @Rjb

    Actually you are part wrong. Marriott discovered the breach in Sept. 2018, announced the breach in Nov. 2018. From all sources it occurred at Starwood prior to the merger, from 2014. Under Trump, intelligence officials think that because there was so much personal data (327 million passports) that this hacking was to track people. Because with passport data, they can track people crossing borders and what they look like. It is China that is doing this. The Obama administration tried to block the AnBang acquisition of Starwood which ultimately lead to Marriott winning the prize. 327 million people had their passport info taken. And they were not all Americans. Since Starwood had so many high end properties in Asia, specifically China, the passport info gives so much info on who is traveling where. This is a pure corporate espionage play.

    Separately, I don’t think Marriott will do anything about this passport info. Unless the government requires it.

Leave a Reply

Your email address will not be published. Required fields are marked *