starwood data breach

Personal information from as many as 500 million Starwood guests dating back to 2014 has been traced to Chinese hackers working for the Ministry of State Security, the country’s civilian spy agency, according to The New York Times.

The hack also included health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation, the Times reported. The Times also cited four unnamed U.S. officials who said there could be indictments against Chinese hackers working for the intelligence services and the military. It said the Trump administration also plans to declassify intelligence reports to reveal Chinese hacking efforts dating to at least 2014.


Marriott International said the cybersecurity theft affected reservations made up to September 10, 2018.

A Marriott investigation found that 327 million of the files illegally accessed some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

MoreUnified Rewards for Marriott Brands to Begin

For some, the information also includes payment card numbers and payment card expiration dates. The payment card numbers were encrypted using Advanced Encryption Standard encryption. That code may also have been compromised, however.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and CEO. “We fell short of what our guests deserve and what we expect of ourselves.  We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Marriott, which purchased Starwood in September of 2016, is emailing guests of W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels who may have had their data compromised. The company has set up a dedicated website and a call center to answer questions about the incident.

Marriott has offered one-year free enrollment in WebWatcher, which monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.

Marriott is also phasing out Starwood guest registration systems.

Editor’s note: The same day the cybertheft was announced, a class action lawsuit was filed by the law firm Murphy, Falcon & Murphy, the law firm involved in a 2017 Equifax breach, for “failure to ensure integrity of servers and safeguard customer information.” Marriott International has also offered to pay for passport replacements for anyone who may have been a victim of fraud because of the leak.