What Happens When Your Marriott Account Gets Hacked?

A reader noticed about 100,000 points missing from their Marriott Bonvoy account. Not everyone checks their accounts regularly, and that’s one of the reasons that allowing Award Wallet and similar apps to access member accounts is so smart for account security. With a single button a member can check all of their points balances, and see when their account has been drained – right away, not months after a crook has stolen their points and flown, stayed, or used their miles for merchandise.

  • The reader called Marriott right away.
  • They messaged me after they’d been on the line for 40 minutes, sharing that they were told they would not get their points returned “until Marriott does an investigation.”
  • In total they were on the phone for an hour and a half, much of it on hold. The agent would “pop in every so often to ask a question about activity” on the account. Out of 90 minutes only a couple of minutes were spend talking.
  • The agent couldn’t “promise how long it would take for the investigation” but was told to expect 45 days.

The member was completely locked out of their account while the account was placed under audit. They thought their account might get closed through no fault of their own.

In the end it didn’t take 45 days for the investigation. Their account was taken of of audit, and points were returned, after 44 days.

Ever since the historic Marriott data breach four years ago security people have trumped loyalty people. And nowhere does that seem to be more true than at Marriott itself.

And when your account goes under audit you’re stuck on the phone with them just to begin the process of an investigation that then takes a month and a half during which time they lock you out of your account. What are the odds the customers they do that to want to stay loyal customers?

It makes sense to try to limit the costs of fraud, but when it creates so much friction for your best members to try to do business with the brand the losses to the chain may, in the end, exceed the fraud savings.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. @Gary I’m legit the last person to call anyone out on this but it’s become a little unbearable recently. Throw your articles in Grammary.com or something similar before posting, please. There’s like nine typos/words here in this one that make no sense. Just trying to help because I genuine love your blog. Don’t make harder to read. 🙂 Happy Saturday.

  2. Eh, this is an example of the old n = 1 sample size analysis. Counter-anecdote: a few months ago I woke up to a very large, very odd redemption having been made out of my MR account. Started the process of the investigation and it moved very quickly. PIN was placed on my account immediately but I retained full functionality. Points were back within a few days. Investigation continued in parallel but at no hindrance to my ability to transact with properties. Was given a direct point of contact in case there were any issues when trying to book (e.g. a property saw my account as locked or such). Overall, went about as smoothly as I could envision. The point? The only thing that holds true here is that, as always, YMMV.

  3. Same thing just happened to us….I was on the phone for 2.5 hours and now we have to send info to prove we did not screw up. 2 stays earlier in Aug and one about to happen. How do they not require picture ID upon check in

Leave a Reply

Your email address will not be published.