Financial Literacy

Marriott’s Starwood database hacked, 500 million guests potentially affected

By: Lisa Coxon on November 30, 2018

Marriott International announced on Friday that its Starwood Hotel guest reservation database was hacked, potentially affecting 500 million people, including those in Canada, the United States, and the United Kingdom.

The list of stolen guest information is extensive. For around 327 million of those affected, data breached includes: passport number, mailing address, phone number, email address, Starwood Preferred Guest (SPG) account information, birth date, gender, arrival and departure information, reservation date, and communication preferences.

Payment card numbers and card expiration dates were also accessed, though Marriott says they were encrypted using Advanced Encryption Standard encryption (AES-128). “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

Marriott was first alerted to the breach on Sept. 8, when it received an alert from an internal security tool that there was an attempt to access the Starwood database. It then launched an investigation, which revealed that this unauthorized access actually dated back to 2014, two years prior to when Marriott acquired the Starwood brand. Guests who made a reservation at any of the Starwood hotels on or before September 10 may have been affected.

The company learned that an unauthorized party had copied and encrypted information. On Nov. 19, Marriott decrypted the information and discovered it was from the Starwood database. Anyone with an SPG credit card would have to reserve hotel rooms through this system in order to collect points. But, regardless of whether or not a guest is an SPG member, their information may have been compromised.

Hotels affected by the breach include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels, as well as Starwood branded timeshare properties.

“Canadian customers who made reservations at a Starwood property are affected,” Marriott spokesperson Tracey Schroeder confirmed via email to Global News. “The investigation is ongoing and we will share more details as appropriate.”

Marriott says it has taken steps to contain the incident. The company has set up a dedicated call centre where customers can ask questions about the breach. It’s open seven days a week, and is available in multiple languages.

As of Nov. 30, Marriott has started to send emails to affected guests whose email addresses are in the Starwood guest reservation database. That email will come from “” so guests can be certain it’s indeed from Marriott.

It’s also given guests the chance to enroll in WebWatcher, a software program that monitors internet sites where personal information is shared and alerts customers if evidence of their personal information is found. It’s offering those affected a free enrollment for one year.