Skip to main content

Marriott International says that a breach of its Starwood guest reservation database exposed the personal information of up to 500 million people. If your information was exposed, there are steps you can take to help guard against its misuse.

According to Marriott, the hackers accessed people’s names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information. For some, they also stole payment card numbers and expiration dates. Marriott says the payment card numbers were encrypted, but it does not yet know if the hackers also stole the information needed to decrypt them.

The hotel chain says the breach began in 2014 and anyone who made a reservation at a Starwood property on or before September 10, 2018 could be affected. Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, and other hotel and timeshare properties.

The company set up an informational website, https://answers.kroll.com, and a call center, 877-273-9481, to answer questions. It says affected customers also can sign up for a year of free services that will monitor websites that criminals use to share people’s personal information. Marriott says the service will alert customers if their information shows up on the websites, and will also include fraud loss reimbursement and other services.

If your information was exposed, take advantage of the free monitoring service, and consider taking these additional steps:

  • Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could signal identity theft. Visit IdentityTheft.gov to find out what to do.
  • Review your payment card statements carefully. Look for credit or debit card charges you don’t recognize. If you find fraudulent charges, contact your credit card company or bank right away, report the fraud, and request a new payment card number.
  • Place a fraud alert on your credit files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you. A fraud alert is free and lasts a year.
  • Consider placing a free credit freeze on your credit reports. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that it won’t stop a thief from making charges to your existing accounts.

Marriott says it will send some customers emails with a link to its informational website. Often, phishing scammers try to take advantage of situations like this. They pose as legitimate companies and send emails with links to fake websites to try to trick people into sharing their personal information. Marriott says its email will not have any attachments or request any information. Still, the safest bet is to access the informational website by typing in the address, https://answers.kroll.com.

To learn more about protecting yourself after a data breach, visit IdentityTheft.gov/databreach.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Twainer
December 04, 2018
This and the continuing thefts of personal data are a precise indication that Security is NOT taken seriously enough by those trusted with it! When Equifax can be hacked, it's evidence of the soft attitudes about data protection! This HAS to change! Even the little guys can set up protection against this stuff if they were so inclined. Here at least, personal data is kept OFFLINE and the ONLY time it goes online is long enough to make writes to the data, then it is immediately taken OFFLINE again. So personal data is NEVER online except for specific, very short periods of writing data! Heuristic checks run 24/7 looking for anything that is out of line with intended SW operations, internally and externally. Backups are made in real time but ONLY while the data is offline! Never allow any sensitive data to exist facing the 'net; all data are collected and when complete, the random buffer where it's stored is immediately loaded into the offline storage. And a lot more, but those are general descriptions only. We have NEVER had a breach (so far), but have caught several before they got anywhere near actual data.
ltleato
December 04, 2018
WE ARE VICTIMS OF THE MARRIOT DATA BREACH.
ken
December 04, 2018
Thank you for this information. Very useful. It is apparent that tighter control over internet information OR stricter penalties for hackers is needed.
StrongThought
September 09, 2019

In reply to by ken

Stricter penalties for hackers would do no good, as they are often out of the jurisdiction of those making the laws. What we need are much stricter penalties for those who are responsible for safe-guarding our information in their systems in cases where said information is leaked, whether through hacking or through any other means.
vitalis0268
December 04, 2018
I suggest thorough investigation, Marriott should be held responsible, for example, i was traveling out of the country, when i got at the airport (Dulles Airport), i was told that the plane was over booked. i was not offered any refund. they decided to check me in at Marriott Hotel till the next day, i used the hotel computer to browse, and later discovered that my identity has been compromised. too bad
Marvin Thornton
December 04, 2018
Do I contact Marriot if get affected? Or do I contact my credit card?
really?
December 04, 2018
Really? One of the largest breaches ever, and the FTC's response is to put the onus on us - the public - to fix Marriott's incompetence? Where is the penalty to the corporation that caused this breach, not to mention the aftershock effects of phishing that will no doubt come as a result of this?
FTC Staff
December 04, 2018

In reply to by really?

Was your information exposed? Marriott has an informational website and a call center, 877-273-9481, to answer questions. Marriott says affected customers can sign up for a year of free services that will monitor websites that criminals use to share people’s personal information. It says the service will alert customers if their information shows up on the websites, and will also include fraud loss reimbursement and other services.

If your information was exposed, take advantage of the free monitoring service, and consider taking the additional steps described in the blog.

ckl
December 05, 2018

In reply to by FTC Staff

Marriott still does not who was impacted; I have asked repeatedly since the issue was first reported. The website is useless and the Kroll employees have a simple script that refers you to the site and credit monitoring. Marriott’s actions are shameful and the FTC needs to force action...or be disbanded as what purpose do you serve?
freakedout
December 04, 2018
The fact that this happened 4 years and ago and your company did not even suspect a compromise. What are you doing to appease those who have been affected and the time now we must spend monitoring our credit? Why should our credit card companies be left with any potential losses and the cost to replace our credit/debit cards and thus ultimately pass this cost back to us? It was your company that didn't protect our confidential information and now we must suffer.
FTC Staff
December 04, 2018

In reply to by freakedout

If your information was exposed, take advantage of the free monitoring. Marriott has an informational website and a call center, 877-273-9481, to answer questions. Marriott says affected customers can sign up for a year of free services that will monitor websites that criminals use to share people’s personal information. It says the service will alert customers if their information shows up on the websites, and will also include fraud loss reimbursement and other services.

Consider the additional steps listed in the blog. They can help you spot identity theft and stop someone from opening accounts in your name.

paulhut
December 10, 2018

In reply to by FTC Staff

Sorry, no, one year of credit monitoring is not enough. I want lifetime monitoring and a guarantee there will be reimbursement if this data is used against me. Please step it up FTC. These guys were negligent for FOUR YEARS.
YKR
December 04, 2018
I believe virtually all fraud and cybercrime will stop automatically if banks implement simple systems they are aware of which will personalise signature, PIN and passwords to the individuals so criminals will not get tempted to use them to make easy money. I cannot think of any reason why proposed will not restore honesty can you?
Don't use your…
December 16, 2018

In reply to by YKR

I t a l r e d i h a p e n t o m e s o i k n w. I w u d like to get asistance on my lost profit in personal wage at list
Pissed
December 04, 2018
That explains the phone call I had today from a “Marriott Property” that I had stayed in recently that I hung up on. Bring on all the annoying phone calls that I will have to block. How do these companies get away with time after time?
SafeStay
December 04, 2018
I paid for a safe and secure stay at Marriott/Starwood/allProperties and am rewarded with Marriott advising me that I should never have give private information out to begin with...yet it is required by the chain and gov agencies. PATHETIC. that they accepted the responsibility at the time... but now it is my problem... oh yeah if I can prove it was them... Marriott might foot the bill for my new passport...maybe KROLL is the only winner in all of this.
2014 ?????????…
December 05, 2018
OR it took them 4 years to find out about it ????????????????????
Anonymous
December 05, 2018
Well done Seena and the above steps will prevent a whole lot of malpractices and prevent credit card fraud in the near future to to Marriott and its entities. Yo did good with this publication. Whoever have ears should listen/hacken to your advise I have paid $12.99 for years to keep up/track with my credit card, and that is hardly enough. It is tough out there especially with most folks being out of work/layoffs/downturns/fluctuation in the economy, anyone could have done that to Starwood Corporation out of frustration. It all comes back. Best, Gloria.
mitchell.rj2010
December 06, 2018
need to verify if breach affected me.
JY
December 05, 2018
I think the breach goes back further than 2014, because I received a spam email posing as Marriott customer service wanting to give me 2 nights free stay voucher to ANY Marriott hotel. the email was sent to my work email, which was used only once at a SPG hotel in 2008.
IA Eng
December 07, 2018
The problem with all of this is that the names of the companies change but the same result is the same. It seems to be an acceptable business practice to be hacked and throw out some blanket for a false sense of security, in terms of a one year monitoring. These companies will keep the budgets low, raise the amount of insurance coverage and then when a breach occurs, say they are sorry and "your information is important to us" or "we take this very seriously". Yeah NOW that a breach has occured you do. They ride the gravy train until it falls off the track. Then, they win back some of the money via insurance or, simply write it off as a loss the following year. What happens to the consumers? Not much, they are left to tackle these instances by themselves, with a heaping tablespoon of go here, read this and figure it out yourself. Many people behind the scenes don't get it...... they are in an IT field or other profession for years or decades. A victim of ID theft for the first time may not be as technically savvy to the ways of handling all of this. They will go to the bank, demand a new card and they think the issue is over. Thats far from the truth. The process is broken. There is no sure fire way for the corporations to be completely secure from attackers since there are many, many undocumented zero day vulnerabilities that exist. When credit card compnaies start losing billions of dollars, then they will fix a problem. Until then, its on the consumers to drop a corporation that has violated their trust. People won't do this for two reasons. They are creatures of habit, returning to their old ways and forgiving too quickly. And, since there aren't any strict governmental standards in place, or stricter card rules, standards and security, the list of hacked sites outweigh the ones still not hacked. So what do people do? A bunch of nothing, or rant and rave about a class action suit which brings them 50 bucks and another false sense of victory. Its crazy, this is accepted, and the process is so broken that eventually, some one with a brain will figure out a rule to take the ease out of the process and incorporate security once again.
mjc775
December 07, 2018
People should also change passwords on other sites if it's the same password as the one they used to login to their Marriott/Starwood online account.
Govfailingall of us
December 07, 2018
Where are the laws to stop public and private organizations from gathering information from any and all U.S., tax paying citizens?! Why is Experian still listed as one of the credit agencies accessing and holding onto our information?? Why isn't our congress representatives outraged that none of the top Experian principles have not been fired and prosecuted. Our elected represenatives and senators need to take action now!! To protect our privacy and our personal information pass a right to privacy law that punishes those that choose by neglect or purpose to violate the law! Until this occurs no ones Rights are safe going forward! Every year we are seeing more electronic devices innocently being offered as personal assistance devices. BEWARE until we have in place laws to regulate oversite of these electronic devices we are being painfully ignorant and way to trusting.
Carol K
December 09, 2018
I went to change my password and delete my payment info, and noticed my account was linked to Facebook, which I did not do. I tried to delete the link but couldn’t. What is going on? Marriott needs to fix ASAP.
NiceTry Not Myname
December 10, 2018
What a joke. Pathetic response to an unacceptable breach of trust. People... Remember... the corporations and the government DO NOT CARE about us. Protect yourself by monitoring your own credit and bank accounts. WHEN it happens, and it will, report it and move on with your life. We gave up real security when we went to a fiat currency anyway, the only reason your dollars have worth is because someone else will exchange goods for them. Look at Venezuela to figure out how badly this can go when people no longer agree on the value of a dollar.
Concerned
December 14, 2018
I received an email sending a link to accept a voucher for two night stay from Marriott as an appology for the my personal data being stolen from them. I think if I clicked the links I would get a virus or worst! Has anyone else receive this type of email?
FTC Staff
December 14, 2018

In reply to by Concerned

That's a scam email - delete it! Thank's for spotting that and warning people.

It's good that you didn't click on the links or reply to it. That email is from a scammer who is phishing around for information. Scammers often send emails like that after a breach. They hope people will click on the links and share personal information.

Bob
December 16, 2018
Why doesn't the FTC hold companies liable like individuals are held liable under the Privacy Act? Currently, the Act states if an individual is found guilty of violating this Act they can be fined $5,000. Take I to consideration that with 2017 national annual median income being approximately $61,000, that is about 12% of income. If that were applied to the Marriott breach.. Marriott would owe the government about $2,200,000,000, as in 2017 their annual profit was about $22,000,000,000. I think if corporations were held accountable for their actions like individual citizens are...these breaches in PII security would stop immediately.
Burned
January 05, 2019
Marriott failed it’s loyal customer base and now puts it on them to correct their failure
Concerned abou…
January 09, 2019
I've received upwards of ten phone calls originating from various area codes in the US from unknown numbers since the breach. These calls leave voice mails in possibly Mandarin or Cantonese.
Kathy S
January 13, 2019
I just received a ransom note regarding my Starwood account in the ransom note I was told exactly what my password was and what account it was associated with. They asked for $682 in bitcoin - when I went to try to change my now known password - I discovered I was locked out - not only has my password been changed, my address has also been changed so I can't even recover my password because I don't know what address they changed my account to. For the hackers to have access to my password to Starwood - and now apparently in control of my account - is really bad and extremely frustrating. I did not ever get notified by Marriott and had to find out that my information was stolen from the hackers.
Everyone is th…
February 15, 2019
I got the "We're sorry. Here is a free 2-night stay at any Marriott location." email. Turned out it was from my own IT security as a test. Cant trust anyone.
Dido
August 03, 2019

In reply to by Everyone is th…

I got the same stupid email. I started ignoring all my emails from my IT department, because if I click on one of them, my boss gets notified & I get written up.
Tired of calls
February 18, 2019
This breach of privacy and receiving unsolited calls
Chet Rowe
February 20, 2019
Always protect all of your personnel information.
StarwoodBreached
March 20, 2019
Anyone else receiving tons of spam since this breach occurred with major grammatical and spelling errors? I am and it seems to be pretty easy to identify them - they all contain the same verbiage; aka "envirnament" or the latest ones "Hey there, first off, thanks for the interest in our newsletters... have fun reding them"... If other starwood customers have the same issue, one would think that a paper trail exists to find the money behind the marketing campaigns that are blowing up my inbox. Does Starwood care?
Spam, baked be…
March 27, 2019

In reply to by StarwoodBreached

Yes, yes and yes. I have 5 of these every morning when I wake up with different subjects from completely different domains all with the same into text preview... "-- -- Hey there, first off, thanks..." I'm flagging them as spam as I get them, but there's no end in site as they're all coming from random addresses. Our emails have to be on a list somewhere feeding this trash.
mdbBoston
May 20, 2019

In reply to by StarwoodBreached

Yes, 3 or 4 every day . . . "Hey there, first off, ...." So annoying.
StarwoodBreachedToo
March 31, 2019
Yes, I am literally bombarded with these spam emails as well - all start the same "Hey, there..." I have been begging Comcast to do something and after weeks of being bombarded with them - no response whatsoever. Maybe we should sue Starwood for the inconvenience of having them fill up our mailboxes every day.
maj1978
May 14, 2019

In reply to by Me too

I am receiving these e-mails, "Hey there, first off, thanks for the interest in our newsletters, hope you have fun reding them" and it seems like there is nothing I can do to stop them. I can't block the sender as the sender's address constantly changes. HELP!!
Cmitchell
October 30, 2020
A friend of mine just got back-to-back phone calls from a company that said they were with Marriott Hotels. When someone came on the line they said they were with Vallarta Gardens but then immediately hung up after they gave the info which is located at: Carretera Federal la Cruz de Huanacaxtle Punta de Mita Km 1.2, Marina, 63734 Cruz de Huanacaxtle, Nay., Mexico Phone number is actually: Phone: +52 (329) 295 6212 Email:  info@ boutiqueprc. I am putting this up here so the FTC and the FBI can see this! According to other websites that also show this scam they don't have the info I just gave. And Marriott has claimed to have had a DATA BREACH OF 500 MILLION last December 2018 So be careful and Don't use this "Resort" If you plan to go to Mexico!!!