Marriott let me know that the hack of their systems released my unencrypted passport number and unencrypted credit card number. Even this information isn’t helpful because they don’t let me know which number or whether or not it’s expired.
The data breach compromised 383 million records including 5.25 million unencrypted passport numbers and 8.6 million payment cards. Marriott claims most credit cards were expired which means they have that information, but even though they’re telling me my credit card number was compromised they aren’t telling me the expiration date of the card.
And why Marriott was even hanging onto this data in the first place, beyond when it was necessary to complete transactions? Arne Sorenson would have you believe keeping passport numbers on file was to make it easier for you to reserve rooms, blissfully unaware that it is not necessary to input a passport number at Marriott.com in order to make a booking.
Even if Sorenson wasn’t completely making this up, what on earth where they keeping the data unencrypted for? Marriott wants to blame Starwood for this but they have been managing the servers for a couple of years during which time the data has been sitting unencrypted and they’ve largely played coy about the timeline of the breach.
They made an offer to submit your information and find out whether or not your data was included in the data breach. It took over a week for Marriott to respond. They finally replied,
Dear Gary Leff:
We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident.
Based on the Email Address you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:
• Company Name
• Address Information
• Primary Email Address
• Primary Phone Number
• Other Phone Information
• Primary Fax Number
• Unencrypted Passport Number
• Encrypted Passport Number
• Passport Issuing Country
• Potential Unencrypted Credit Card Number
• Starwood Preferred Guest (SPG) Number
• Starwood Preferred Guest (SPG) Loyalty Status and Balances
• Guest Frequent Traveler Program Information
• Starwood Executive Traveler Number
• Guest Opt-In Preferences
• Email Communication Preferences
• Reservation Details
• Flight Information
• Central Starwood Unique Record Locator
• Returning Guest Indicator (Y/N)
• Employed at Starwood (Y/N)
• Record History Information
Where available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com.
If you have further questions or requests regarding this information, please let us know.
Marriott Privacy Center
Marriott has said they’ll help customers who are actually the victims of identity theft. In other words it does not matter that they leaked my unencrypted passport number and unencrypted credit card number — I have to wait until I’ve actually had my identity stolen, perhaps my credit trashed, before they will do anything for me.
For now all they’ll cover is “personal information monitoring.” They aren’t even offering a modest amount of points as an apology, in fact they’re making the points you do have worth less.
Staying in someone else’s room, spending the night and going to sleep, is one of the most intimate and exposed things you can do and fundamentally it requires trust. This strikes to the heart of Marriott’s business, and they’re doing what exactly to regain customer trust?
Since we’re pretty clearly on our own out there here are four things to do to protect yourself going forward.