Skip to Content
MIT Technology Review
Sign in
Computing

How to check if you’re affected by the Marriott mega data breach

November 30, 2018

The Marriott hotel group says information belonging to up to 500 million customers of its Starwood hotels may have been compromised. That would make it one of the biggest data thefts ever.
 
The news: After receiving a security alert in September, Marriott launched an investigation that revealed hackers had gained access to Starwood Hotels’ guest reservation database. The company is still trying to work out the full extent of the breach, which it says stretches back to 2014. Starwood includes the St. Regis, Westin, Sheraton, and W hotels.
 
The impact (so far): The hackers, who copied and encrypted customer data, took steps to remove it, but it’s not clear yet what exactly was extracted. Marriott says the hackers compromised a wide range of data from some 327 million customers, including things like date of birth, e-mail addresses, passport numbers, and loyalty account information. In the case of the other guests, the data compromised appears to be limited to things like names and e-mail addresses.

In some cases—Marriott hasn’t yet said how many—the intruders targeted payment card numbers and card expiration dates. The hotel chain says it had encrypted such data, but it can’t be sure the intruders don’t have the “components” needed to decrypt the numbers—which is deeply worrying and raises even more questions about the state of the Marriott group’s cyber defenses.
 
The response (so far): Marriott has put up a website with more information about the breach and opened a call center to handle questions from customers. It’s also sending out e-mails to people whose data may have been affected if it has their address in its database, and offering a free year’s subscription to an identity-theft protection service. Given that payment card details are involved, people should also check in with their card issuers if they fear that data may be at risk.

Marriott will no doubt be hoping a swift response to its breach will help limit possible legal action and fines under provisions like Europe’s General Data Protection Regulation. But if it turns out to have had lax controls on that data, it could still end up in legal hot water.

Correction: an earlier version of this story said the breach affected 500,000 customers instead of 500 million.

Deep Dive

Computing

What’s next for the world’s fastest supercomputers

Scientists have begun running experiments on Frontier, the world’s first official exascale machine, while facilities worldwide build other machines to join the ranks.

The future of open source is still very much in flux

Free and open software have transformed the tech industry. But we still have a lot to work out to make them healthy, equitable enterprises.

The beautiful complexity of the US radio spectrum

The United States Frequency Allocation Chart shows how the nation’s precious radio frequencies are carefully shared.

How ubiquitous keyboard software puts hundreds of millions of Chinese users at risk

Third-party keyboard apps make typing in Chinese more efficient, but they can also be a privacy nightmare.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.