BETHESDA, Md. – Hackers stole information on as many as 500 million guests of the Marriott hotel empire over four years, the company said Friday as it acknowledged one of the largest security breaches in history.
If you stayed at one of Marriott's Starwood hotels recently, hackers might have information on your address, credit card and even your passport. Some of this can be used for identity theft, as hackers create bank and other accounts under your name.
"Passport information, they can contact the government and start getting information about you," said online information expert Kevin Johnson, with Secure Ideas. "Passport identification is all they need to be tied to identity theft. Your passport number is tied to your Social Security number. Your date of birth is part of this."
The full scope of the failure was not immediately clear. Marriott was trying to determine if the records included duplicates, such as a single person staying multiple times. Though credit card information was stored in encrypted form, it was possible that hackers also obtained the two components needed to descramble the numbers, the company said.
Analysts were alarmed by the length of time the breach had been going on. Many security breaches span months, an average of 90 to 200 days, but this one began in 2014. Johnson said hackers will be using Marriott customers’ personal information for years to come.
The breach affects only the hotel brands operated by Starwood before Marriott bought it in 2016. That includes W Hotels, St. Regis, Sheraton, Westin and Four Points. Starwood-branded timeshare properties are also affected. Marriott-branded chains aren't affected, as data on those stays are on a different network.
According to Marriott, the breach affected reservations at Starwood properties through Sept. 10, 2018. That could include reservations made for a future stay.
Johnson said the first thing you should do if you have a Marriott account is log in, verify your account has your right information and immediately change the password.
"If you have reused the password for the Marriott site, wherever you have you reused it, go change that too," he said. "That’s the next step for the attackers. They take the credentials they stole from Marriott Starwood, it’s called a credential stuffing attack, and they will use try those passwords at as many places as possible."
Johnson said affected customers should monitor their bank statements and be wary of getting any phone calls from hackers who know your personal information and try to get even more based on what they’ve obtained from Marriott.
"Any time of day or any time of night, there is someone selling data like this," Johnson said.
Marriott is emailing affected guests, though be careful about scams. If you get such an email, instead of clicking on anything, check Marriott's information site at answers.kroll.com to find out what to do.
Marriott has set up a website and call center for anyone who thinks that they are at risk, and on Friday will begin sending emails to those affected. Customers in the U.S. can call 877-273-9481 for more information.
Online security experts also suggest you consider opening a separate credit card for online transactions only, making it easier to spot fraudulent activity.