Marriott let me know that the hack of their systems released my unencrypted passport number and unencrypted credit card number. Even this information isn’t helpful because they don’t let me know which number or whether or not it’s expired.
The data breach compromised 383 million records including 5.25 million unencrypted passport numbers and 8.6 million payment cards. Marriott claims most credit cards were expired which means they have that information, but even though they’re telling me my credit card number was compromised they aren’t telling me the expiration date of the card.
And why Marriott was even hanging onto this data in the first place, beyond when it was necessary to complete transactions? Arne Sorenson would have you believe keeping passport numbers on file was to make it easier for you to reserve rooms, blissfully unaware that it is not necessary to input a passport number at Marriott.com in order to make a booking.
Even if Sorenson wasn’t completely making this up, what on earth where they keeping the data unencrypted for? Marriott wants to blame Starwood for this but they have been managing the servers for a couple of years during which time the data has been sitting unencrypted and they’ve largely played coy about the timeline of the breach.
They made an offer to submit your information and find out whether or not your data was included in the data breach. It took over a week for Marriott to respond. They finally replied,
Dear Gary Leff:
We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident.
Based on the Email Address you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:
• Name
• Company Name
• Address Information
• Primary Email Address
• Primary Phone Number
• Other Phone Information
• Primary Fax Number
• Unencrypted Passport Number
• Encrypted Passport Number
• Passport Issuing Country
• Potential Unencrypted Credit Card Number
• Starwood Preferred Guest (SPG) Number
• Starwood Preferred Guest (SPG) Loyalty Status and Balances
• Guest Frequent Traveler Program Information
• Starwood Executive Traveler Number
• Guest Opt-In Preferences
• Email Communication Preferences
• Reservation Details
• Flight Information
• Central Starwood Unique Record Locator
• Returning Guest Indicator (Y/N)
• Employed at Starwood (Y/N)
• Record History InformationWhere available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com.
If you have further questions or requests regarding this information, please let us know.
Thank you.
Marriott Privacy Center
Marriott has said they’ll help customers who are actually the victims of identity theft. In other words it does not matter that they leaked my unencrypted passport number and unencrypted credit card number — I have to wait until I’ve actually had my identity stolen, perhaps my credit trashed, before they will do anything for me.
For now all they’ll cover is “personal information monitoring.” They aren’t even offering a modest amount of points as an apology, in fact they’re making the points you do have worth less.
Staying in someone else’s room, spending the night and going to sleep, is one of the most intimate and exposed things you can do and fundamentally it requires trust. This strikes to the heart of Marriott’s business, and they’re doing what exactly to regain customer trust?
Since we’re pretty clearly on our own out there here are four things to do to protect yourself going forward.
Thanks for this, Gary. No update yet from Marriott re my own reply to them more than a week ago, informing them that I’d like such an update on whether and what of my info was breached.
Too bad the federal government is no longer in the business of protecting people against such corporate abuses, whether it be via new legislation, regulations or disciplinary actions. But perhaps we’ll yet see private lawsuits or state actions or an investigation by the relevant House committee.
I wonder if you had received a response given you posted about not receiving one yesterday. I haven’t had any response.
Wow–one year of monitoring? That’s it? What happens if the hackers hold onto the passport info for 366 + days and then decide to use your info? How will Marriott handle that?
I don’t know why the US isn’t adopting the same privacy laws that the EU uses.
Expired credit card numbers can often still be charged — it depends on the issuer. Even closed accounts are sometimes chargeable. So knowing it’s expired doesn’t offer a lot of confidence.
Source: working in the industry.
I also did not receive any response from Marriott even though I requested data as soon as Gary’s article appeared.
Perhaps Gary’s comments in his blog induced Marriott to answer him while the rest of us are put on the back burner, or so it seems.
Considering the data breach, would it be so terrible (on check in) if we “pretend” that we lost our passport to avoid having it needlessly copied by the hotel personnel? Or, can we check in on a mobile phone without copying our passport?
There really is no legitimate purpose in making a copy of our passport merely because we chose to stay at Marriott.
The hotel has our credit card data as well as other personal data about us. What is the point of including our passport copy in their files?
In this digital age, unnecessary inclusion of our personal data about guests is just asking for abuse.
More BS from Marriott. I find some dark humor in the cheap psychological ploy of having people enter their SPG number instead of their Marriott or Bonvoy number. It’s like some childish way of distancing themselves from the problems. “Nope, that’s not us. It’s our wholly owned subsidiary. Totally different thing.”
Marriott first detected evidence of hacking in the Starwood database on September 8 of last year but didn’t disclose the breach until November 30. That’s one of the lamest moves in IT, waiting for a hail mary to save your skin like wishing that nothing of value was actually taken. Instead of immediately warning customers their data was probably compromised, the company took almost three months to announce that guest information in the Starwood database was stolen. Did anyone at Marriott actually think it would be anything else?
I wouldn’t even bother asking them about the specific customer data that was stolen. If you checked into an SPG hotel in Europe, assume it was all taken. Marriott hasn’t shown that they should be trusted to give accurate information about the breach, so why bother inputting account and other details into yet another database that the company doesn’t know how to protect.
If the millions of cards must be replaced I expect Marriott will be sued to reimburse the bank issuers. But that does nothing for the consumers that will be inconvenienced. I don’t need another year of credit monitoring. I already have 3 “free” credit monitoring services thanks to multiple breaches. If Marriott wants to generate goodwill it might offer compensation in the form of (devalued) points. That would set a baseline standard for other companies to follow.
Why would anyone ever give a passport number to a hotel chain? No way.
Gary. Loved reading this and then watching Bonvoy Bonvoy Bonvoy during the Oscars. Considering they are a beast of a company that could care less about its customer it brought a smile to see this integration. Why? Turbo Tax. Free. Free. Free. #failedmedia
When my status with Marriott is gone, so am I.
@dmg9 and @ORD Flyer
Oddly some countries require presentation of your passport to check in to a hotel, India, Japan and Germany come to mind though I haven’t been in Germany in many years so this may have changed.
I’m very curious to find this information out. When and how would Starwood have received your unencrypted passport information? There was never any field on the SPG profile that requested passport information. The only other time I’ve ever supplied a hotel with my passport was when I checked in and it was required for a local laws. I have presented this question multiple times to both Marriott and the special phone number set up for the data breach and no one ever seems to have any clearer understanding to my question. So curious to know how you supplied your psssport number
“ORD Flyer says:
February 24, 2019 at 7:20 pm
Why would anyone ever give a passport number to a hotel chain? No way.
__________________________
That is part of the breach. In some foreign countries, often our passports were requested on check in and a copy of it was kept in our file with Marriott.
That is why – I can see no logical reason for our passports to be shown considering the hotel has all our other personal data.
The breach was not limited to names, addresses, phone numbers and credit card numbers.
@ric – yes this would have been at a hotel check-in
@ORD Flyer required by law at check-in in many countries
So are used to stay at one particular hotel very frequently which was the Sheraton Amsterdam airport. Each time I checked and I would say… Don’t you have this information for my last day? And the answer would always be we never keep passport information. It is forwarded to the local authorities… That’s why am so confused by this whole Marriott breach involving passport numbers!
Ric – “And the answer would always be we never keep passport information. It is forwarded to the local authorities… That’s why am so confused by this whole Marriott breach involving passport numbers!”
Surprise, people do not always tell the truth! Or, the employees did not know what happens to the copied passport data. Once the passport is copied into the hotel system, who knows what happens to the copy.
@Gary: How was the reply sent? email?
I went to the site for FREE one year monitoring. But to get the one year monitoring you have to give all your personal data that was exposed to a third party vendor. The agreement indicates that you agree to hold third party vendor harmless and you are providing them indemnification. So how does this help me protect my data? It puts me in the exact same location that I am in now. Exposed data with no one responsible. I am voting with my feet -and quickly walking away from the Marriott program.
If Marriott were a 1980s game show would they be Jokers Wild or The Price is Right? Guess that depends if you look at it from the hackers’ perspective or not
Actually this all happened to the Starwood side while Starwood was not yet merged with Marriott. Marriott inherited this problem.
However, Marriott, as the successor company has failed in coming to some resolution and the “free” service is a joke