A massive data breach has affected an estimated 500 million Marriott guests, with birth dates and passport information being gathered.

Marriott learned about the breach back in early September and dates all the way back to 2014, but the company did not know how bad it was until a couple of weeks ago.

And since then, Marriott has discovered that the data breach affected up to 500 million guests who made reservations at a Starwood Property.

For most of them, the breach includes such things as passport information, birth dates and mailing addresses; things that can be used for fraud.

Alarming security analysts, Marriott said that unauthorized access to data at former Starwood hotels and that company’s reservation system has been taking place since 2014.

The affected hotel brands operated by Starwood before it was acquired by Marriott in 2016, include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood branded timeshare properties are also included.

None of the Marriott-branded chains are threatened.

The New York Attorney General is opening investigation into a Marriott data breach that may have affected 500 million guests. 

Frequently Asked Questions:

What information was copied?

"The information copied from the Starwood guest reservation database over time includes information about guests who made a reservation at a Starwood property, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. The combination of information varies by guest.

"For some individuals, the information copied also included payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point Marriott has not been able to rule out the possibility that both were taken."

What steps did you take in response?

"After receiving the internal security alert, we immediately engaged leading security experts to help us determine what occurred. We quickly installed additional security tools to help us gather facts and reported the incident to law enforcement.

"Forensic investigative work is painstaking, and our internal and external security teams have been working nonstop to investigate the incident, implement additional security measures, and address what was found. We recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.

"On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database. We then immediately began taking steps to notify our guests and regulatory authorities."

Why are only reservations for Starwood properties involved?

"The guest reservation database that is involved was only used for Starwood reservations. Marriott uses a separate reservation system that is on a different network."

What is a Starwood property?

"Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program. Starwood branded timeshare properties are also included."

Was the Marriott network involved?

"The investigation only identified unauthorized access to the separate Starwood network."

What are you doing about this going forward?

"Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center.

"We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."

Was my information involved?

"If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved. You may choose to enroll in WebWatcher if it is available in your country. Guests from the United States who enroll in WebWatcher will also be provided fraud consultation services and reimbursement coverage free of charge."

How will I know that the email notification I receive is from Marriott?

"We want you to be confident that the email notification you may receive is from Marriott. The email will come from the following email address: starwoodhotels@email-marriott.com. We also want you to be aware that when other companies have provided notifications like this, other people used it to try to trick individuals into providing information about themselves through the use of links to fake websites (phishing) or by impersonating someone they trusted (social engineering).

"Please note that the email you may receive from us will not contain any attachments or request any information from you, and any links will only bring you back to this webpage."

I am not a Starwood Preferred Guest (SPG) member. Does this mean my data was not involved?

"Regardless of whether you are an SPG member, if you made a reservation on or before September 10, 2018 for a Starwood property, information you provided may have been involved."

What do you mean by SPG account information?

"SPG account information includes your SPG account number, points balance, status level, and communication preferences. The combination of information varies by guest."

What is WebWatcher and how do I enroll?

"WebWatcher monitors internet sites where personal information is shared and generates an alert if evidence of your personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries."

"For residents of the United States, enrolling in WebWatcher also provides you with two additional benefits: (1) a Fraud Loss Reimbursement benefit, which reimburses you for out-of-pocket expenses totaling up to $1 million in covered legal costs and expenses for any one stolen identity event. All coverage is subject to the conditions and exclusions in the policy; and (2) unlimited access to consultation with a Kroll fraud specialist."

"Consultation support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used, including investigating suspicious activity that could be tied to an identity theft event."

What other steps can I take?

"In addition to enrolling in WebWatcher if it is available in your country, below are some other steps you can take regardless of your location. Monitor your SPG account for any suspicious activity. Change your password regularly. Do not use easily guessed passwords.

"Do not use the same passwords for multiple accounts. Review your payment card account statements for unauthorized activity and immediately report unauthorized activity to the bank that issued your card. Be vigilant against third parties attempting to gather information by deception (commonly known as 'phishing'), including through links to fake websites.

"Marriott will not ask you to provide your password by phone or email. If you believe you are the victim of identity theft or your personal data has been misused, you should immediately contact your national data protection authority or local law enforcement."