ATLANTA — The world's largest hotel operator, Marriott International, says as many as 500 million people who made reservations at Starwood properties may have had their personal information accessed in a data breach that may have lasted for up to four years.
On Friday, the company had determined on Nov. 19 that a breach had occurred involving the Starwood guest reservation database, which has had information on reservations at Starwood properties made on or before Sept. 10, 2018.
This would constitute one of the largest data breaches ever, ranking with two separate Yahoo data breaches, one of which reached up to 3 billion accounts. A separate Yahoo data breach also hit some 500 million accounts.
In comparison, the data breach that hit Atlanta-based Equifax in 2017 hit 143 million people.
The company says for some 327 million guests, personal information may have been compromised, which could include passport details, telephone numbers and email addresses. For other guests, credit card information may have been included.
Marriott said it had started emailing affected guests on a rolling basis on Friday to affected guests whose email addresses are in the Starwood guest reservation database.
The Starwood guest database includes hotels under the following brands: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties were also included in the data breach.
Marriott says it will provide free of charge online account monitoring software WebWatcher to guests for one year. The service reimburses fraud loss of up to $1 million. US customers who use will also get fraud consultation services and reimbursement coverage for free.
Affected customers can visit http://info.starwoodhotels.com/ for more information.
According to CNBC, last year, both InterContinental Hotels and Hyatt Hotels were victims of cyber attacks.
Consumers who may have credit cards on file with Starwood or Marriott -- even expired or closed cards -- should contact their card company and flag those cards and change those card numbers.
In the wake of data breaches, consumers should be wary of third party attempts to gather information by deception, so-called phishing attempts through links to fake websites.
If you think you may be the victim of identity theft -- or your personal data has been misused, immediately contact law enforcement. The Federal Trade Commission recommends consumers get a free, one-year fraud alert from one of the three major credit bureaus, Equifax, Experian or Trans Union.
"Annual credit reports and credit freezes are free," said Paige Boshell, a privacy and cybersecurity attorney. "Freezes enable the consumer to review each application of credit made in his or her name and stop fraud as it is happening."
If you think your passport number is involved, treat it as if it were stolen and contact the State Department to replace it with a new number.
Change your passwords. Do not use easily guessed passwords or the same password for multiple accounts. If an online account offers it, set up two-factor authentication, which will send a text message to your phone with a verification when you log into an app or site.
Review your credit card statements for unauthorized activity and report any to your bank immediately.
Monitor your Starwood Preferred Guest account for any suspicious activity.