Marriott, the world’s largest hotel chain, revealed a hack of its Starwood hotels guest database today, potentially affecting a staggering 500 million people who booked stays at a Starwood property for years before Sept. 10, 2018.
The company announced in a statement that it discovered the hack on Sept. 8, just weeks after officially (and controversially) merging the Marriott Rewards and Starwood Preferred Guest (SPG) loyalty programs. It managed to decrypt the information and determine the scope of the breach on Nov. 19. The Marriott network of properties are reportedly not affected.
When it comes to the sensitivity of information obtained, things couldn’t be much worse. In its statement, Marriott said: “For approximately 327 million of these [500 million] guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” Even worse, the company noted that for some, payment card numbers and expiration dates were also accessed; although this information was encrypted, Marriott “can’t rule out the possibility” that the components needed to decrypt this information may have also been taken.
The unauthorized access to the Starwood network goes all the way back to 2014. Marriott acquired Starwood in 2016, forming what is now the largest hotel company in the world (paywall), with 29 brands (including Starwood’s Westin, Sheraton, Aloft, St. Regis, and W Hotels) and 6,500 properties in 127 countries. Thus, it appears that Marriott acquired a company that was in the process of being hacked. It’s also worth noting, as Quartz did in the wake of the Yahoo and Equifax breaches, the initial number announced in a data breach rarely captures the full scale of the problem.
Marriott’s shares fell by more than 5% in premarket trading in New York. The hack is set to be the second-largest in history, in terms of people affected; Yahoo’s 2013 breach exposed the data of 3 billion people.
SPG-ers—the obsessive and niche brand of loyalty-chasing travelers who were folded into the new Marriott rewards program that will reportedly be known as “Bonvoy“—were already none too pleased about the merger. Though anyone who booked at a Starwood property could be affected, it’s reasonable to assume that SPG-ers—who tend to stay exclusively at these properties to amass points—are highly likely to have been affected. Judging by how they responded to relatively mundane inconveniences related to the merger in the last few months, Marriott can expect some serious customer rage.
As far as what Starwood guests should do now, Marriott advised that guests who had a reservation between 2014 and up to Sept. 10, 2018 at a Starwood property should “enroll in WebWatcher if it is available in your country.” Those affected in the US, they noted, will also be provided with fraud consultation and free reimbursement coverage.