Starwood Guest Reservation Database Security Incident
Marriott has taken measures to investigate and address a data security incident involving the Starwood guest reservation database. This site has information concerning the incident, answers to guests’ questions and steps you can take.
Updated: 15 February 2019
The initial announcement we made on November 30, 2018, about the Starwood guest reservation database security incident stated that there may have been information on up to 500 million guests involved. We also reported that for approximately 327 million of these guests, the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, and encrypted payment card numbers.
When we made this announcement, our work analyzing the data involved was underway. Since that time, we have been working to remove duplicate information and to determine how many records had particular types of data present.
After further data analysis we have identified approximately 383 million records as the upper boundary for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest. We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.
Allowing for the fact that even the most exhaustive investigation cannot necessarily provide complete certainty, Marriott now believes the following about the data involved in the incident:
- There were approximately 8.6 million unique payment card numbers, all of which were encrypted;
- There were approximately 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.
Original Notice from 30 November 2018
Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.
On September 8, 2018, Marriott received information that an alert from an internal security tool was related to an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information. Marriott reported this incident to law enforcement and continues to support their investigation. We have already begun notifying regulatory authorities.
Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.
Marriott has taken the following steps to help guests monitor and protect their information:
Dedicated Call Center
Marriott has established a dedicated call center to answer questions you may have about this incident. The call center is available in multiple languages. Our dedicated call center may experience high call volume initially, and we appreciate your patience. Please check info.starwoodhotels.com for any updates to our call center contact details.
The call center contact details are:
|Country/Region||Toll Free Phone Number||Hours||Days of the Week|
|Argentina||0800 345 5412||1200 - 0000 ART||Mon-Sun|
|Australia||1 800 270917||24 Hours||Mon-Sun|
|Austria||0800 281462||0900-2100 CET||Mon-Sun|
|Belgium||0800 70843||0900-2100 CET||Mon-Sun|
|Brazil||0800 724 8312||0900-2100 Brasilia ST||Mon-Sun|
|Bulgaria||0800 46057||24 Hours||Mon-Sun|
|Canada||1 877 273 9481||0900-2100 EST||Mon-Sun|
|Chile||800 914056||1200 - 0000 CLST||Mon-Sun|
|China||400 120 0845||0900-1800 China ST||Mon-Sun|
|Colombia||01800 518 5279||0900 - 2100 COT||Mon-Sun|
|Croatia||0800 805974||24 Hours||Mon-Sun|
|Cyprus||8007 7002||24 Hours||Mon-Sun|
|Czech Republic||800 144 335||24 Hours||Mon-Sun|
|Denmark||807 05303||24 Hours||Mon-Sun|
|Estonia||800 0049 093||24 Hours||Mon-Sun|
|Finland||0800 412894||24 Hours||Mon-Sun|
|France||0805 080216||0900-2100 CET||Mon-Sun|
|Germany||0800 1 801 978||0900-2100 CET||Mon-Sun|
|Greece||00800 4922 493 0009||24 Hours||Mon-Sun|
|Hong Kong SAR, China||80 096 7828||24 Hours||Mon-Sun|
|Hungary||800 88202||24 Hours||Mon-Sun|
|India||000 800 050 1531||24 Hours||Mon-Sun|
|Ireland||1 800 903133||24 Hours||Mon-Sun|
|Israel||1 80 946 7273||24 Hours||Mon-Sun|
|Italy||800 728 023||0900-2100 CET||Mon-Sun|
|Japan||0120 901 011||0900-1800 Japan ST||Mon-Fri|
|Latvia||8000 3590||0800 - 2000 EET||Mon-Sun|
|Lithuania||8 800 00394||24 Hours||Mon-Sun|
|Luxembourg||8002 2870||0900-2100 CET||Mon-Sun|
|Malaysia||1 800 815310||24 Hours||Mon-Sun|
|Malta||800 62784||24 Hours||Mon-Sun|
|Mexico||01 800 099 0742||0900-2100 EST||Mon-Sun|
|New Zealand||0800 359 805||24 Hours||Mon-Sun|
|Peru||0800 78472||0900 - 2100 PET||Mon-Sun|
|Philippines||1 800 1322 0163||24 Hours||Mon-Sun|
|Poland||00 800 1410322||24 Hours||Mon-Sun|
|Portugal||800 180205||1100 - 2300 GMT||Mon-Sun|
|Romania||0800 360147||24 Hours||Mon-Sun|
|Russia||8 800 100 6925||0900-2100 Moscow||Mon-Sun|
|Saudi Arabia||800 8852897||0800 - 2000 AST||Mon-Sun|
|Singapore||800 4922405||24 Hours||Mon-Sun|
|Slovakia||0 800 002 328||24 Hours||Mon-Sun|
|Slovenia||0 806 88804||24 Hours||Mon-Sun|
|South Africa||0 800 980 645||24 Hours||Mon-Sun|
|South Korea||080 822 1429||0900-1800 Korea ST||Mon-Fri|
|Spain||900 905407||0900-2100 CET||Mon-Sun|
|Sweden||020 109326||24 Hours||Mon-Sun|
|Switzerland||0800 561876||0900-2100 CET||Mon-Sun|
|Taiwan||00801 491 196||0900-1800 China ST||Mon-Sun|
|The Netherlands||0800 0228574||24 Hours||Mon-Sun|
|United Arab Emirates||800 0320134||0900-2100 Gulf||Mon-Sun|
|UK||0 808 189 1065||0800-2000 GMT||Mon-Sun|
|USA||1 877 273 9481||0900-2100 EST||Mon-Sun|
|Vietnam||122 80 369||24 Hours||Mon-Sun|
Marriott began sending emails on a rolling basis on November 30, 2018 to affected guests whose email addresses are in the Starwood guest reservation database.
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties (Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, and Vistana) are also included.
Free Web Monitoring Enrollment
Click on your country/region, if listed, to begin the enrollment process.
Marriott is providing guests the opportunity to enroll in web monitoring free of charge for one year. This service monitors internet sites where personal information is shared and generates an alert to the guest if evidence of the guest's personal information is found. Due to regulatory and other reasons, web monitoring or similar products are not available in all countries/regions. Guests from the United States who complete the web monitoring enrollment process will also be provided fraud consultation services and reimbursement coverage for free.
Frequently Asked Questions
These Frequently Asked Questions May Be Supplemented From Time to Time
If you would like to know the specific information about you involved in the incident, please complete this form and we will endeavor to provide you with more information as soon as possible.