Marriott’s Starwood Hotels Brand Suffers One of Largest Data Breaches


Marriott Starwood

Worse than lumps of coal in their welcome baskets, customers of Marriott International and its Starwood brands—W Hotels, St. Regis, Sheraton, Westin, Element Hotels, Aloft, Four Points and many others, including Starwood-branded timeshare properties—may be greeted by a compromised credit history.

In one of the largest online data breaches to date, Marriott disclosed that it had identified a problem in its Starwood reservation system that may have exposed the personal information of up to 500 million guests of the world’s largest hotel company.

“We deeply regret this incident happened,” Marriott President and CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

But first there’s the matter of addressing and trying to clean up the debacle. No doubt the cyber transgression against Marriott and its customers is a huge deal. The 2013 Yahoo data breach, which affected as many as 3 billion accounts, remains the largest data breach so far, and a subsequent Yahoo data breach also hit 500 million accounts.

Marriott’s internal security systems alerted the company to a potential data breach in early September, the company said, and it subsequently found weaknesses going back to 2014, preceding Marriott’s acquisition of Starwood. A hacker had copied and encrypted information from the database, and the company had taken steps toward removing it. Marriott was able to decrypt the information on November 19 and found that the contents were from Starwood’s guest reservations.

For about 327 million of the potential victims of the breach, Marriott said, the data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

For remaining customers, the potential breach was limited to name and possibly other data such as mailing address and email address.

Marriott said that it will begin emailing guests whose email addresses are in the database and will provide free-of-charge online account monitoring software to guests for a year, including reimbursement of fraud losses of up to $1 million.

The New York Attorney General has opened an investigation into the data breach.

But there’s no telling at this point what the long-term damage to Marriott’s customer loyalty and brand will be. No doubt the success of the cyber attack will infuriate many Starwood customers. Yet, ironically, it may not bother them as much nowadays as when massive data breaches were less common, because consumers to some extent have gotten used to the idea that the risk of losing their personal data is simply part of the price of participating in the global economy.

And some companies that suffered earlier big data breaches—such as Target and TJX Stores—have emerged a few years later apparently not much worse for wear, with their businesses healthier than ever. What consumers seem to demand is a major effort by the brand to make recompense to them and to try to ensure that it doesn’t happen again.



Leave a Reply

Your email address will not be published. Required fields are marked *