Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Aug 5, 19, 6:41 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Old Apr 23, 19, 5:56 am
  #556  
 
Join Date: Dec 2007
Location: Canada
Posts: 1,134
Oh no! I'm usually very cautious - should I be worried? Ugh. I guess not much I can do at this point.

If this was not legit any quick tips from the IT experts out there. I feel sick right now

Last edited by Bravada04; Apr 23, 19 at 6:30 am
Bravada04 is offline  
Old Apr 23, 19, 8:56 pm
  #557  
 
Join Date: Jun 2011
Location: DCA
Programs: AA EXP; BoNVoY Plat
Posts: 1,761
Change your password and check stuff regularly.
ckendall is offline  
Old Apr 24, 19, 8:05 am
  #558  
 
Join Date: Jul 2006
Location: Upper Sternistan
Posts: 7,946
Originally Posted by Bravada04 View Post
I received an email today from "Marriott Privacy"..........it asks me to open the request. I do that and then it says my link has expired (albeit I just received the email today?).

It asks me to type in my email address and they will send me a new access token?

I have no idea what this is or if I want to enter my email address?

Update: I did get a new link and was able to access the webpage. The webpage is BLANK! I would sure like to know if the information they are sending me is important? What gong show! Just have to laugh.
Mine worked the same way.

I don't see what a phisher would get out of having you re-enter the email address that they sent the email to, except to know that someone reads emails at that address.

I just chalked it up to more Marriott incompetence.
josephstern is offline  
Old Apr 24, 19, 7:05 pm
  #559  
 
Join Date: Dec 2007
Location: Canada
Posts: 1,134
That is good to know...........that it in fact might just be a Marriott IT issue?...and hopefully nothing to worry about!
Bravada04 is offline  
Old Aug 5, 19, 1:27 pm
  #560  
 
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
Data breech passport replacement reimbursement-success or failure

Hello community,

I've stared this thread to see what the success or failure rate is of making a claim with Marriott for getting the costs associated with passport replacement when someone does have the report from Kroll showing their passport number was indeed compromised.

I've started this thread in part because Marriott's policy is vague, and unclear, and contains a massive "out" in terms of the policy which is highlighted. Basically, is Marriott actually requiring proof our compromised data was used? If so, this seems to be a bar that would be impossible to clear, and also, how can any say it won't be used later? The way Marriott has handled this, the lack of notification, the vague and unclear communication, it's as if they have been an evasive actor through the whole thing.

"We have a claims process in place for guests whose passport numbers have been verified to be part of the unencrypted group and who are concerned that their information was used fraudulently. To have a fraud claim considered for reimbursement, please mail a summary of what happened, including what fraudulent activity occurred using your passport number, and what your request is along with documentation of any expenses to any of the addresses set forth below:
For guests from the U.S., Canada, Asia Pacific and Middle East & Africa: Marriott International, Inc. 10400 Fernwood Road Bethesda, MD 20817 ATTN: Department 51 911.01 Ė Claims
For guests from Europe: Starwood Guest Reservation Database Enquiries North Valley Business Centre Old Mallow Road Blackpool T23 Y262 Cork Ireland
For guests from the Caribbean and Latin America: Starwood Guest Reservations Enquiries Corporativo Dos Patios - Ejťrcito Nacional No. 350 Polanco V Secciůn, Miguel Hidalgo, C.P. 11560 Ė Suite 4C Ciudad de Mexico Mexico"


There are many media reports back in December claiming Marriott would cover theses costs, but there has been very little in terms of if they actually are making good on those promises.

If you could post the date you submitted your claim, to which address did you submit your claim, what if any response there has been from Marriott, if you received compensation or not, and if you did when and how was the compensation issued.

Thank you all so much...

I have applied July, 26th using the Bethesda, MD address.
I have not heard anything back from Marriott as of yet 8/5/2019
I will update this post as those events change if they do change.
transportbiz is offline  
Old Aug 5, 19, 1:31 pm
  #561  
Hilton Contributor Badge
 
Join Date: Feb 2008
Location: In the air
Programs: BA Gold, Marriott Tit, Hilton Diamond, AMEX Plat
Posts: 6,715
Do you have a case where you believe the data breach has caused you to have to get a new passport? I donít think itís happened to many because itís not like Chinese spies want to be using your details...
C17PSGR likes this.
EuropeanPete is offline  
Old Aug 5, 19, 1:45 pm
  #562  
 
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
Originally Posted by EuropeanPete View Post
Do you have a case where you believe the data breach has caused you to have to get a new passport? I donít think itís happened to many because itís not like Chinese spies want to be using your details...
My passport number was among the unencrypted numbers that were exposed. There is no way of knowing if the data has been used or sold, nor is there any way of knowing if it will be used or sold at a later date, that is not the standard by which data breeches are tested, the standard is was private identifying information compromised. In my case, Marriott admits it was.
transportbiz is offline  
Old Aug 5, 19, 2:09 pm
  #563  
 
Join Date: Nov 2014
Location: New York
Programs: MB-LTT , HH-Diam., HGP-Expl., Accor-Plat., Former FPC-Plat.
Posts: 687
It's been a while, but I called and spoke with a rep who thought I should get a new passport until I requested reimbursement for it. My guess is that even if your passport info was used for something nefarious, you won't be able to provide the proof needed to get Marriott to pay for a replacement.

With my family's data, it appears that any information kept by Starwood was compromised. Others may not have the same experience as we did. Since a company's failure to secure customer information has occurred so many times, this instance doesn't concern me. I am not interested in a debate about whether or not passport details could be used in a way that harms those whose details were fraudulently obtained.

Last edited by rny321; Aug 5, 19 at 2:27 pm
rny321 is offline  
Old Aug 5, 19, 5:00 pm
  #564  
FlyerTalk Evangelist
 
Join Date: May 2002
Location: Pittsburgh
Programs: MR/SPG LT Titanium, AA LT PLT, UA SLV, Avis PreferredPlus
Posts: 26,537
Originally Posted by transportbiz View Post
There is no way of knowing if the data has been used or sold,
When your credit card statement has a fraudulent charge, I'm pretty sure you know it's been used. When the FBI contacts you about international trips you haven't taken, I'm pretty sure you know it's been used.

Originally Posted by transportbiz View Post
that is not the standard by which data breeches are tested, the standard is was private identifying information compromised. In my case, Marriott admits it was.
I don't think the "standard" is to replace every piece of identification for every person affected by a breach, whether it caused harm or not. I probably have 5 different "monitoring" subscriptions due to breaches - no one has ever replaced everything that was exposed and I'm not aware of any harm caused by the exposed data.

(it's breach, not breech. Unless your passport was in a canon or came out a** first)
trooper likes this.
CPRich is offline  
Old Aug 5, 19, 5:52 pm
  #565  
 
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,238
Originally Posted by transportbiz View Post
"We have a claims process in place for guests whose passport numbers have been verified to be part of the unencrypted group and who are concerned that their information was used fraudulently. To have a fraud claim considered for reimbursement, please mail a summary of what happened, including what fraudulent activity occurred using your passport number, and what your request is along with documentation of any expenses ... .
That's not unclear at all. Marriott says you need to show what "fraudulent activity occurred using your passport number."

You'll note that unlike previous data thefts, credit card companies haven't been swapping out credit cards. In fact, the credit card company most likely to notice fraudulent activity would be Amex since they issued the SPG Amex card and the CEO says they have not seen any evidence of fraudulent activity in credit cards.

Originally Posted by EuropeanPete View Post
Do you have a case where you believe the data breach has caused you to have to get a new passport? I donít think itís happened to many because itís not like Chinese spies want to be using your details...
+1

I haven't bothered to check to see if my data was in this theft but considering I've been to Hong Kong several times on my current passport, I presume my passport data is already in the Great Silk Database. Now they have some hotels/cities to match with that data.

And, if I set aside whether the EU, US, Canadian, and Austrialian databases with passport entries are secure, I presume other databases in South America, Asia, and non-EU countries in Europe might have their data in the Great Silk Database.

Then, when I was in Spain a couple of weeks ago, the hotel scanned my passport to turn it over to the Spanish police. What are the chances that random police department data is in the Great Silk Database?

Like others, I remain interested in what fraudulent activity may have been uncovered using your passport data so we can be aware of it.
C17PSGR is offline  
Old Aug 5, 19, 7:03 pm
  #566  
 
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
Wow, so cool, you are all fine with your personal information being stolen, and the company responsible for it having zero responsibility. Spelling errors and other petty, nonsense aside I am not okay (or is it okay to use OK, not sure with the grammar police here) with it. For two reasons: One it's wrong, and two, when a company's CEO stands before congress and tells them he will do something (replace passports for those who were exposed) and then doesn't do it. That used to mean something. But of course in this day and age where what's really important is to be on your high horse, look down on everyone else who doesn't see things the way do, when lies don't mean anything because everyone does it, when integrity is an antiquated concept...THAT is indeed what is important. I've avoided flyertalk for this exact reason. I've seen all too many times a credible concern is lambasted. It is NOT a place for discussion it's a place all too often for corporate hacks, and those who care only about defending the companies they feel some odd moral obligation to, because they have a certain status or a bank of points, which is probably the more accurate motivation, something as simple as what's it if for the almighty me.

As to the lack of a smoking gun from AMEX, not sure about that, my card was replaced very mysteriously, I was notified it had been compromised and a new card was being issued, when I called I was given no information about the nature of how my card was compromised, which I thought was very odd. I have three AMEX cards and the only one that was replaced was the one I used exclusively for stays at Marriott properties.

So one person here also has admitted their claim was shown to the round file, which by the way is the only response so far that's been on the topic of the thread.

Last edited by transportbiz; Aug 5, 19 at 10:25 pm
transportbiz is offline  
Old Aug 5, 19, 7:16 pm
  #567  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 91,424
Originally Posted by C17PSGR View Post
That's not unclear at all. Marriott says you need to show what "fraudulent activity occurred using your passport number."

You'll note that unlike previous data thefts, credit card companies haven't been swapping out credit cards. In fact, the credit card company most likely to notice fraudulent activity would be Amex since they issued the SPG Amex card and the CEO says they have not seen any evidence of fraudulent activity in credit cards.



+1

I haven't bothered to check to see if my data was in this theft but considering I've been to Hong Kong several times on my current passport, I presume my passport data is already in the Great Silk Database. Now they have some hotels/cities to match with that data.

And, if I set aside whether the EU, US, Canadian, and Austrialian databases with passport entries are secure, I presume other databases in South America, Asia, and non-EU countries in Europe might have their data in the Great Silk Database.

Then, when I was in Spain a couple of weeks ago, the hotel scanned my passport to turn it over to the Spanish police. What are the chances that random police department data is in the Great Silk Database?

Like others, I remain interested in what fraudulent activity may have been uncovered using your passport data so we can be aware of it.
That “your” passport number data was confirmed as having been stolen in the data theft is a clear sign that “fraudulent activity occurred using ‘your’ passport number”. Or do you consider data theft to be evidence of no fraudulent activity?

Marriott made a claim it was going to pay for passport replacements due to the data theft. Has Marriott even paid for one replacement passport for any of those whose passport numbers were stolen?
GUWonder is offline  
Old Aug 5, 19, 7:23 pm
  #568  
 
Join Date: Sep 2008
Location: Midwest USA
Programs: BA GGL/CCR, WN A+/CP, UA SIL, Marriott TIT (LT), Hyatt EXPL, Hilton DIA
Posts: 1,638
I don't know how anyone can defend Marriott on this one.

Agree with GUWonder - the fact that it was stolen is prima facie evidence of fraudulent activity.

Marriott should do the right thing (and honor their promise) to pay for new passports for those affected.
nachosdelux is offline  
Old Aug 5, 19, 7:58 pm
  #569  
 
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,238
I continue to think it odd when people display no anger toward the thief.

But I had a very simple question -- what evidence do you have of fraudulent activity of the use of your passport? Simply stealing it, isn't use. If its just a generalized concern that you're worried that your passport number and dates are in the hands of the thief, why not state that? If its something specific, why not tell us so we can be alert for the same thing.

And have you traveled outside the US and Western Europe on your current passport? If you have, wouldn't the data thief have your info already?

It's not defending the victims of theft by a sophisticated state actor, but FT can't be a platform for fear mongering.

How about a post like this:

I am concerned about the theft of data in the Starwood database. I think Starwood/Marriott should have taken precautions to prevent theft by a highly sophisticated state actor that is seeking to collect as much data on individuals as possible. I have not seen any impact to me but wondering whether there is anything I should be worried about. With my current passport, I have been to the following countries? Do have any sense of whether those countries are able to protect passport information from theft by a sophisticated state actor? And, even though I don't have any evidence of impact on me, has anyone been able to get Marriott to pay for a new passport?

And perhaps

Since our political officials know what is happening, why aren't they doing anything, or at least saying anything about that state actor?

Last edited by C17PSGR; Aug 5, 19 at 8:22 pm
C17PSGR is offline  
Old Aug 6, 19, 3:07 am
  #570  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 91,424
Originally Posted by C17PSGR View Post
I continue to think it odd when people display no anger toward the thief.

But I had a very simple question -- what evidence do you have of fraudulent activity of the use of your passport? Simply stealing it, isn't use. If its just a generalized concern that you're worried that your passport number and dates are in the hands of the thief, why not state that? If its something specific, why not tell us so we can be alert for the same thing.

And have you traveled outside the US and Western Europe on your current passport? If you have, wouldn't the data thief have your info already?

It's not defending the victims of theft by a sophisticated state actor, but FT can't be a platform for fear mongering.

How about a post like this:

I am concerned about the theft of data in the Starwood database. I think Starwood/Marriott should have taken precautions to prevent theft by a highly sophisticated state actor that is seeking to collect as much data on individuals as possible. I have not seen any impact to me but wondering whether there is anything I should be worried about. With my current passport, I have been to the following countries? Do have any sense of whether those countries are able to protect passport information from theft by a sophisticated state actor? And, even though I don't have any evidence of impact on me, has anyone been able to get Marriott to pay for a new passport?

If the locksmith who changed your front door locks leaves you with a front home door that isnít locked properly and isnít (in the event of a break-in of sorts) covered by insurance (due to there being no or too low grade of a lock mechanism), wouldnít you complain to the locksmith when the thief goes in through the easily opened front door with the locksmith-compromised ďlockĒ situation?

If you had house guests who left your house without fully shutting and locking the door and who failed to arm the alarm system properly per your instructions and left the key hanging in the outside door lock, you wouldnít complain to the negligent house guests when you find out a thief robbed you blind because your guestsí negligence negligently facilitated the burglary?

Blame the thief, definitely. But would you really not complain about the negligent parties that enabled your house to be made into the easy target for thieves?

You can bet I would take up the issue with the locksmith. And you can bet I would take up the issue with the house guests. Negligent parties deserve to be called out for negligent behavior and to have to pay in a way for their negligence.

If the locksmith puts in a compromised, insurance-compromising lock mechanism on my doors despite me paying full price for something way better, you can bet that I would complain to the locksmith and expect the locksmith to get it fixed and up to spec even in the absence of the home being burglarized.

Leaving me with a compromised, thief-friendly front door until there is a reported use of stuff stolen from my home is not an acceptable approach. Not acceptable when it comes from the locksmith. Not acceptable when it comes from the house guests. But itís acceptable when it comes from Marriott because Marriott is a favored corporation and thus should be free of having to pay up for its compromising ways?

Last edited by GUWonder; Aug 6, 19 at 3:28 am
GUWonder is offline  

Thread Tools
Search this Thread
Search Engine: