In late November 2018, Marriott revealed the details of a massive data breach. This involved Starwood’s guest reservations system, with an unauthorized party potentially copying and encrypting information all the way from 2014 until September 10, 2018.
This breach included up to 383 million guests, and up to 5.25 million unencrypted passport numbers were included.
In mid-February — nearly three months after the breach was revealed — Marriott set up a website where you could check if you were impacted by the breach. However:
- This was on a third party website, which many people were suspicious about
- This involved entering even more personal information (which most people don’t want to do when their information has already been compromised)
- While you could submit info, no timeline was provided about when you’d find out if you were impacted; initially my impression was that you’d find out right away, but that wasn’t the case
Well, last night, just under four weeks from when I submitted my info, I finally received an email regarding this, with a link to view my results. I briefly opened this at dinner, and crucially saw that my passport info had been compromised.
Two slight issues:
- The email says “if you have any questions, please contact a member of the privacy team,” with no contact information for the privacy team
- Apparently you can only view the results once; I briefly opened the link at dinner and then this morning intended to look at them in more detail
When I try to open the results now, I get the following message:
So I enter my email and it says a new link “has been sent” (which sounds past tense to me, as in the email should already by in my inbox), only no link actually sends.
So maybe it’s another four weeks before the link comes through again? However, I do know from briefly peeking at my results last night that I was compromised in just about every category.
For what it’s worth, it seems the responses are roughly as follows:
We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident.
Based on the information you provided to us, we believe that your information was involved.
Following our analysis, we believe that the following information about you was involved in the incident:
* Birthday (Month and Day Only)
* Address Information
* Primary Email Address
* Primary Phone Number
* Other Phone Information
* Unencrypted Passport Number
* Encrypted Passport Number
* Passport Issuing Country
* Starwood Preferred Guest (SPG) Number
* Starwood Preferred Guest (SPG) Loyalty Status and Balances
* Guest Frequent Traveler Program Information
* Starwood Executive Traveler Number
* Guest Opt-In Preferences
* Email Communication Preferences
* Reservation Details
* Flight Information
* Central Starwood Unique Record Locator
* Registered Online Customer Indicator (Y/N)
* Returning Guest Indicator (Y/N)
* Employed at Starwood (Y/N)
* Record History Information
Where available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com.
If you have further questions or requests regarding this information, please contact us through this portal. You will continue to have access to this request for the next 30 days.
Marriott Privacy Center
Yeah, the only problem is that I only had access to this once, and not for 30 days. Furthermore, I’d love to contact them through the portal, but I can’t actually log into the portal.
Anyone else receive their data breach results? If so, how has your experience been?