The Marriott Breach: What to do if Your Information Has Been Compromised

December 21, 2018
Cyber Alert

Download a PDF of the Alert

Risk Management Question

Are you one of 500 million guests whose personal and financial information was compromised in the recent breach of Marriott's guest reservation system?

The Issue

Marriott's guest reservation system may have compromised data including passport numbers, credit card numbers, email addresses, phone numbers, DOB, and arrival and departure information of not only Marriott guests, but also guests of the entire Starwood chain (think: major hotel names like Westin and Sheraton, among others). If you have stayed at the Marriott or any of the Starwood chain hotels within the past four years, it is likely your information has been compromised.

Risk Management Solution

If you have been a Marriott guest during this time period, assume your business and personal email accounts have been compromised, and be on the lookout for travel-related emails with detailed information about you and your family members. Follow our anti-phishing rules for any email you receive:

  1. Don't click on links in any electronic communications from Marriott or any Starwood chain hotel. If you must click, first call the hotel and confirm they sent it.
  2. Don't respond to voicemail messages, robo calls, or text messages from any Marriott or Starwood chain hotel. Don't call the number back. Instead, research the correct phone number and call the hotel or reservation system and confirm that they called you. The legitimate caller will not request any password by phone or email.
  3. Don't fall for a hacker's phishing email to provide any offers that sound too good to be true, such as: "We're sorry. Here is a free 2-night stay at any Marriott location."
  4. Closely monitor your credit cards to assess any suspicious activity.
  5. Change your passwords to any affected—or even unrelated—account.
  6. Consider signing up for Marriott's free WebWatcher enrollment at:

As always, think before you click.