My Marriott Data Breach Results (Finally)

Filed Under: Marriott, Starwood Preferred Guest

In late November 2018, Marriott revealed the details of a massive data breach. This involved Starwood’s guest reservations system, with an unauthorized party potentially copying and encrypting information all the way from 2014 until September 10, 2018.

This breach included up to 383 million guests, and up to 5.25 million unencrypted passport numbers were included.

In mid-February — nearly three months after the breach was revealed — Marriott set up a website where you could check if you were impacted by the breach. However:

  • This was on a third party website, which many people were suspicious about
  • This involved entering even more personal information (which most people don’t want to do when their information has already been compromised)
  • While you could submit info, no timeline was provided about when you’d find out if you were impacted; initially my impression was that you’d find out right away, but that wasn’t the case

Well, last night, just under four weeks from when I submitted my info, I finally received an email regarding this, with a link to view my results. I briefly opened this at dinner, and crucially saw that my passport info had been compromised.

Two slight issues:

  • The email says “if you have any questions, please contact a member of the privacy team,” with no contact information for the privacy team
  • Apparently you can only view the results once; I briefly opened the link at dinner and then this morning intended to look at them in more detail

When I try to open the results now, I get the following message:

So I enter my email and it says a new link “has been sent” (which sounds past tense to me, as in the email should already by in my inbox), only no link actually sends.

So maybe it’s another four weeks before the link comes through again? However, I do know from briefly peeking at my results last night that I was compromised in just about every category.

For what it’s worth, it seems the responses are roughly as follows:

We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident.

Based on the information you provided to us, we believe that your information was involved.

Following our analysis, we believe that the following information about you was involved in the incident:

* Name
* Birthdate
* Birthday (Month and Day Only)
* Address Information
* Primary Email Address
* Primary Phone Number
* Other Phone Information
* Unencrypted Passport Number
* Encrypted Passport Number
* Passport Issuing Country
* Starwood Preferred Guest (SPG) Number
* Starwood Preferred Guest (SPG) Loyalty Status and Balances
* Guest Frequent Traveler Program Information
* Starwood Executive Traveler Number
* Guest Opt-In Preferences
* Email Communication Preferences
* Reservation Details
* Flight Information
* Central Starwood Unique Record Locator
* Registered Online Customer Indicator (Y/N)
* Returning Guest Indicator (Y/N)
* Employed at Starwood (Y/N)
* Record History Information

Where available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com.

If you have further questions or requests regarding this information, please contact us through this portal. You will continue to have access to this request for the next 30 days.

Thank you.

Marriott Privacy Center

Yeah, the only problem is that I only had access to this once, and not for 30 days. Furthermore, I’d love to contact them through the portal, but I can’t actually log into the portal.

Anyone else receive their data breach results? If so, how has your experience been?

Comments
  1. I wasn’t affected but their response was still less than comforting.

    I didn’t include my membership number in the request form, figured they would get it based on email.

    But in the response they didn’t mention my membership number, which, from a data perspective, if that’s the best and primary key, I would expect them to include that. And given how this whole thing is playing out I just don’t have confidence that they really checked anything? Am I unreasonable to think this way?

  2. You’re supposed to call it the “Starwood” data breach lol.

    The report for me was exactly the same. Why set up such an intricate process if they were just going to provide identical and generic responses?

  3. I got the same email, except that my passport info does not appear to have been involved. I am not concerned, as the appearance my personal info in the “dark web” was already one of the features of my current credit monitoring service.

  4. Only your name, address, birthday, and passport number? Nothing anyone evil could possibly do with that.

    A bit curious whether that means your US passport, DE passport, or both?

  5. Lucky, first thanks for opening what clearly looked like phishing email. I actually wasn’t going to open it! Given you took the leap I did too. EVERYTHING you listed was in mine too. Would have been good to let me know WHICH passport number involved as I have several. But why would I think that!

  6. Given all that has happened, I don’t understand why people would trust Marriott by giving up even more sensitive data to a third party to check if their data was breached. There are so many red flags here.

  7. I got the same response. This is basically:
    The following information we collected about you should now be considered to be publicly available and for sale, probably for use in fraud or other criminal activity. We will supply you with a monitoring service that will collect even more personal information about you and then tell you if anyone is stupid enough to publish your un-encrypted information where law enforcement can find it and trace it back to them. In the mean time, the monitoring service creates another target for the hackers. Take whatever precautions you feel you should. Please don’t blame us, as we only bought the company that allowed this to happen and don’t think it can happen to *our* systems. In the mean time, we will continue to collect information about you and store it referencing this key information to make it easier for future breaches to link the data about you together.
    We don’t think we owe you anything because you haven’t had any actual harm. If you are hacked, good luck proving it had anything to do with this data breach, we have retained an army of lawyers.

  8. If they “steal” (learn) my passport info, I’ll get a new passport. If they learn my credit card number and buy stuff, I won’t pay for that stuff and I’ll get a new credit card. If they learn my birthdate, address, full name, phone number and get a mortgage, a Challenger, a Maybach, casino chips and 5 hookers, I won’t pay for these things. Any bank that wants me to panic when their filing cabinets are stolen is in for a yawn.

    How did the big companies persuade so many into thinking this data is “property” that can be “stolen” from us? Actually it’s data, which they use in secret, for their private profit-seeking purpose, to keep track of us.

    Outrage at the breaches is misdirected. I’m outraged at the lies that brainwash people into thinking it’s our problem.

    If Marriott writes my name and birthdate down, assigns me an account number, and then someone steals their filing cabinets, it doesn’t mean I have to pay for some crook’s new Hummer.

    Yawn, if you want me to pay or panic, wait in line behind behind Friends of the Earth, PETA, GLAAD, WHO.

  9. everything was hacked. this convoluted exercise to receive your results of “what was hacked” is merely a pr exercise to reduce the fallout.

  10. I work in the data world, there’s NO WAY I’d consider keeping sensitive data unencrypted. The last time I stored anything major as plain text was in 1999, we quickly encrypted the sensitive data. Just to frame how long ago that was, I worked at TWA at the time…

  11. The fact stolen data is still not on darknet, and Anbang was interested in accquiring Starwood, makes the whole thing bit of interesting now.

  12. @Debit

    Make a video and put it on Youporn mate, you know you want to.

    Would give the rest of us a bit of peace and quiet around here, while you are away doing it.

  13. Like MikeF, I thought it was a phishing e-mail, too, and didn’t open it 😀 Guess I’ll go check it again and see if I can still get through.

    Why am I not surprised that Marriott has — as always — made this as convoluted and difficult as possible? #Bonvoyed again!

  14. @lucky Did you have data in every category? I think these are blanket ‘cover everything’ emails. I received the same email, but never had any data in some categories e.g., Starwood Executive Traveler Number, so there could not have been anything stolen.

    What does this tell us? Answer: They still don’t know exactly what data was stolen

  15. I didn’t even fill the form out, I figured “Why? What else can they really do to help other that to say “Your Hacked!” Good grief, I get my BA Visa card hacked almost once every 3 weeks. Chase can’t figure it out, so how could I ever solve the mystery. The game repeats again and again, yet Chase keeps overnighting me a new card every month. Everyone talks about being breached, but what really is the solution going forward? Should we change our name, social security # (I don’t think you can even do that?) and passport(s) numbers? Then the Starwoods of the world are just going to ask for all the new info again… and sooner or later you know what’s going to happen. I mean really? What is the point?

  16. @JD The point is to take all precautions to protect the value of Starwood/Marriott shares. Anecdote: my bank robocalled me to tell me my debit card had been “compromised”, new one on the way. It arrived and same day, another robocall, “card compromised”. I got pissed, went to branch manager, told her I won’t rest until she learns exactly what happened. What didn’t happen is my card being compromised, I hadn’t even used it once. Took her months, but eventually she got an employee in bank’s Security/Fraud department to admit he made a mistake and loaded 100 cards as “compromised” when they were in fact the replacements for the troubled ones. Oops.

    Security is the opposite of convenience.

    When they say “security” they’re gonna make something worse.
    When they say “more choice” they’re gonna make something more expensive.
    When they say “we listened” they’re gonna take away the thing you value most.
    When they promise to make something simpler, it won’t do what you want any more.

    Somebody stop me, or prove me wrong, or make it go away.

  17. Only one year credit monitoring? I get “scam” emails from data breach from like 4 years ago. While credit card number breach is mot perishable, the personal data need a longer monitoring.

Leave a Reply

Your email address will not be published. Required fields are marked *