NEW YORK (CBSNewYork/AP) – The New York attorney general is opening an investigation into a Marriott data breach that may have affected up to 500 million guests.
In an early tweet Friday, New York Attorney General Barbara Underwood said residents need to know their personal information is safe.
Marriott says that unauthorized access to data at former Starwood hotels, which Marriott acquired two years ago, has been taking place since 2014. None of the Marriott-branded chains are threatened.
What Was Compromised?
According to Marriott’s Starwood website: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
What To Do If You Made A Reservation
“The problem with all these things is there’s not much you can do about it,” said David Carnoy of CNet.com. He says hotel guests should stay calm if they think they may may have been affected.
“There’s a lot of information about you on the internet to begin with. So some of that information is already out there, if people are looking for it,” Carnoy said.
Any guest who made a Starwood reservation, regardless of whether they are a Starwood Preferred Guest member, may have had their data involved in the breach.
Starwood Hotels includes W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
Marriott posted the following recommended steps for people who may have been affected by the breach:
- Monitor your Starwood Preferred Guest account for any suspicious activity (http://bit.ly/2Smje2y).
- Change your password regularly. Do not use easily guessed passwords. Do not use the same passwords for multiple accounts.
- Review your payment card account statements for unauthorized activity and immediately report unauthorized activity to the bank that issued your card.
- Be vigilant against third parties attempting to gather information by deception (commonly known as “phishing”), including through links to fake websites. Marriott will not ask you to provide your password by phone or email.
- If you believe you are the victim of identity theft or your personal data has been misused, you should immediately contact your national data protection authority or local law enforcement.
- You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
- Fraud Alerts: There are two types of fraud alerts you can place on your credit report to put your creditors on notice that you may be a victim of fraud—an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for at least 90 days. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. You can place a fraud alert on your credit report by contacting any of the three national credit reporting agencies.
- Credit Freezes: You have the right to put a credit freeze, also known as a security freeze, on your credit file, free of charge, so that no new credit can be opened in your name without the use of a PIN that is issued to you when you initiate a freeze. A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a security freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a security freeze may delay your ability to obtain credit. To request a security freeze, you will need to provide the following information:
- Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
- Social Security number
- Date of birth
- If you have moved in the past five years, provide the addresses where you have lived over the prior five years
- Proof of current address such as a current utility bill or telephone bill
- A legible photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.)
- If you are a victim of identity theft, include a copy of the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
- FOR MORE ADDITIONAL STEPS, CLICK HERE
When Did This Happen?
“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a prepared statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Email notifications for those who may have been affected begin rolling out Friday.
While the breach affected “approximately 500 million guests” who made a reservation at one of the affected hotels, some of those records could include a single person who booked multiple stays.
Asked for more details on the 500 million number, Marriott spokesman Jeff Flaherty said Friday that the company has not finished identifying duplicate information in the database.
When the merger was announced in 2015, Starwood had 21 million people in its loyalty program.
The company manages more than 6,700 properties across the globe. Most are in North America.
While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.
“The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted,” said analyst Ted Rossman of CreditCards.com. “People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
“I’m worried about my information out there in the hands of someone that’s going to do wrong by it,” said New York tourist Robyn Petagrew.
An internal security tool signaled a potential breach in early September, but the company was unable to decrypt the information that would define what data had potentially been exposed until last week.
Marriott, based in Bethesda, Maryland, said in a regulatory filing that it’s premature to estimate what financial impact the data breach will have on the company. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.
“This is a really big deal because it went on for years and years,” said Rossman.
The Starwood breach stands out among even the largest security hacks on record. Hilton had two separate data breaches that exposed more than 350,000 credit card numbers. One breach began in November 2014 and another in April 2015. Yahoo had a data breaches in 2013 and 2014 that impacted about 3 billion of its accounts. Target also had an incident in 2013 that affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers.
Marriott has had a rocky process of merging its computer system with Starwood computers. Members of both loyalty programs have complained about missing points, glitches with stays crediting to their accounts and problems with free nights earned from credit cards not appearing.
Sorenson said that Marriott is still trying to phase out Starwood systems.
“The one good thing about these data breaches is that it reminds people to be careful about their information, their passwords,” said David Carnoy, executive editor of CNET.com. “It’s just a big reminder to be very careful about that.”
Marriott has set up a website and call center for anyone who thinks that they are at risk.
Shares of Marriott tumbled 5 percent at the opening bell
(© Copyright 2018 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)