The largest expert travel community:
  • 739,039 Total members
  • 5,054 Users online now
  • 1,679,195 Threads
  • 30,262,313 Posts

500 Million Hotel Guests’ Data Was Leaked. But Starwood Wants to Talk About It

500 Million Hotel Guests’ Data Was Leaked. But Starwood Wants to Talk About It
Jeff Edwards

News of major data breaches at airlines, hotels and retailers have become an almost daily occurrence, but how a company handles or mishandles the realization that its customers’ sensitive financial and personal information has been exposed can be even more damaging than allowing the hack in the first place. As Marriott begins its damage control in the wake of a mind-bogglingly huge cyber-intrusion, it has learned valuable lessons from those who walked the path before.

The leadership at Marriott International is determined not to make the same missteps as other companies which have suffered serious data breaches in the past. As the multinational corporation responds to the fallout from the news that the data of more than 500 million Starwood Preferred Guests (SPG) may have been accessed by hackers, the mistakes of its predecessors are serving as a sort of roadmap of what not to do.

This summer, British Airways management failed miserably, by most accounts, in its response to the realization that thousands of its customers’ private financial and personal information had been exposed by Russia-affiliated cyber criminals. The airline was at first hesitant to even reveal the hack had occurred at all and it was later learned that the initial begrudging admission drastically undersold the scope and severity of the months-long security breach.

Faced with a similar hack, in which the sensitive data of millions of its customers was exposed, officials at Cathay Pacific took obfuscation to a whole new level. The company told lawmakers that it kept quiet about the cyber-attack for several months because its employees were too busy attempting to protect passengers’ private information to stop and take the time to tell passengers that their personal details had been exposed in the first place.

Both airlines lost a great deal of trust and public goodwill through efforts to try to downplay the seriousness of the security lapses. For obvious reasons, officials at Marriott have taken a much different tack toward cleaning up this latest cyber-mess.

In fact, Marriott representatives (lurkers) were active on FlyerTalk forums since the news broke, offering advice, confirming known facts, announcing a hotline for questions regarding the hack and linking to complimentary credit monitoring services for those affected by the data breach. While the posts had a conversational air, it seems clear the information and talking points were in fact disseminated through carefully regulated centralized communication channels. Still, the effort offered at the very least, the appearance of transparency.

“Please visit  for more information about this incident, available resources and steps you can take,” the Starwood social media team helpfully suggested.

Despite the jaw-dropping numbers, almost guaranteed to inspire sensationalized headlines, the company was quick to announce the ugly details of the hack in plain language. Marriott not only published a statement confirming the scope of the hack, but also information breaking down a number of uncomfortable details.

“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” Marriott said in its remarkably frank statement. “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).”

The hospitality conglomerate’s chief approached the subject head-on as well.

“We deeply regret this incident happened,” Marriott International CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward. Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”


Update: The following is correspondence between the author and Tracey Schroeder Vice President, Global Head of Consumer Public Relations.

Does the SPG attack bear similar hallmarks to other recent cyber incursions such as the British Airways hack?   

We can’t speculate.

How will guests learn how much of their personal information was compromised?  

Marriott began sending emails on a rolling basis on November 30, 2018 to affected guests whose email addresses are in the Starwood guest reservation database.  As the matter is still under investigation, we are still working to uncover specifics.

What will Marriott do to make customers who fall victim to fraud whole again?  

We have established a dedicated website ( and call center to answer guests’ questions about this incident. The call center is open seven days a week and is available in multiple languages. We began sending emails on a rolling basis starting yesterday, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database. And we are providing guests the opportunity to enroll in WebWatcher free of charge for one year.

How will a WebWatch subscription help? 

WebWatcher monitors internet sites where personal information is shared and generates an alert if evidence of your personal information is found.

Is it correct that evidence of the hack was not discovered until after the SPG and Marriott Rewards programs were merged?  

The internal alert was received on September 8 which caused us to investigate further. This incident is not related to the merging of the loyalty programs.

How did Marriott guests avoid falling victim to this cyber attack? 

The investigation only identified unauthorized access to the separate Starwood network.

Any guest who booked at a Starwood property prior to September 10, 2018 could be affected, including associates. We are providing our associates the same support and resources and sharing information as we have it. The investigation is still underway so it is premature to speculate.

[Photo: Shutterstock]

View Comments (6)


  1. MaxVO


    November 30, 2018 at 4:43 pm

    Here’s a thought: since corporate management is never punished for such data breaches, there’s a built-in incentive to “facilitate” it for a fee. Btw, SPG’s previous suitor got busted for fraud by Chinese gov’t.

  2. spellinn

    December 5, 2018 at 4:13 am

    Interesting they claim to handle this differently, although it still took them almost three months after they detected and stopped the leak before coming clean about it! I wonder if they disclosed this to the relevant authorities in Europe within 72 hours as required by GDPR?

  3. arcticflier

    December 5, 2018 at 5:03 am

    Are you suggesting a fee to guarantee punishment of corporate management?

    Now that is the first fee I would pay happily.


    December 5, 2018 at 5:07 am

    I was very impressed that the first I knew about this was via a message on the app home page the day it was announced. Usually you learn about these things first anywhere else but from the affected company.

  5. holland

    December 5, 2018 at 5:24 am

    Too bad there’s no information about how to actually sign up for the WebWatcher subscription on the starwood site. Going to errors with an invalid certificate (ERR_CERT_AUTHORITY_INVALID). Awesome service…. 🙁

  6. stevenmb

    December 5, 2018 at 5:48 am

    Today is 5 December and I’ve yet to receive any email notification from SPG / Marriott despite being a frequent worldwide guest and Gold member. So if “rolling basis” means “it’ll take us weeks to months to notify all our clientele” then I’ll just vote with my feet and take my business elsewhere in 2019.

You must be logged in on the FORUM to post a comment Login

Leave a Reply

More in Starwood

Former Starwood VP on Marriott Breach: Something Doesn’t Add Up

Ryan BoydDecember 12, 2018

Starwood, Marriott Free Night Certificates to Stack Across Multiple Credit Cards

Anya KartashovaJuly 12, 2018

Starwood Elites Get Lower Status in the “New” Marriott Rewards

Joe CortezMay 11, 2018

Copyright © 2014 Top News Theme. Theme by MVP Themes, powered by Wordpress.