Starwood Guest Reservation Database Security Incident

Marriott International

Marriott has taken measures to investigate and address a data security incident involving the Starwood guest reservation database. This site has information concerning the incident, answers to guests’ questions and steps you can take.

Updated: 15 February 2019

The initial announcement we made on November 30, 2018, about the Starwood guest reservation database security incident stated that there may have been information on up to 500 million guests involved. We also reported that for approximately 327 million of these guests, the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, and encrypted payment card numbers.

When we made this announcement, our work analyzing the data involved was underway. Since that time, we have been working to remove duplicate information and to determine how many records had particular types of data present.

After further data analysis we have identified approximately 383 million records as the upper boundary for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest. We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.

Allowing for the fact that even the most exhaustive investigation cannot necessarily provide complete certainty, Marriott now believes the following about the data involved in the incident:

  • There were approximately 8.6 million unique payment card numbers, all of which were encrypted;
  • There were approximately 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.

Original Notice from 30 November 2018

Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.

On September 8, 2018, Marriott received information that an alert from an internal security tool was related to an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information. Marriott reported this incident to law enforcement and continues to support their investigation. We have already begun notifying regulatory authorities.

Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.

Guest Support

Marriott has taken the following steps to help guests monitor and protect their information:

Dedicated Call Center

Marriott has established a dedicated call center to answer questions you may have about this incident. The call center is available in multiple languages. Our dedicated call center may experience high call volume initially, and we appreciate your patience. Please check info.starwoodhotels.com for any updates to our call center contact details.
The call center contact details are:

Country/Region Toll Free Phone Number Hours Days of the Week
Argentina 0800 345 5412 1200 - 0000 ART Mon-Sun
Australia 1 800 270917 24 Hours Mon-Sun
Austria 0800 281462 0900-2100 CET Mon-Sun
Belgium 0800 70843 0900-2100 CET Mon-Sun
Brazil 0800 724 8312 0900-2100 Brasilia ST Mon-Sun
Bulgaria 0800 46057 24 Hours Mon-Sun
Canada 1 877 273 9481 0900-2100 EST Mon-Sun
Chile 800 914056 1200 - 0000 CLST Mon-Sun
China 400 120 0845 0900-1800 China ST Mon-Sun
Colombia 01800 518 5279 0900 - 2100 COT Mon-Sun
Croatia 0800 805974 24 Hours Mon-Sun
Cyprus 8007 7002 24 Hours Mon-Sun
Czech Republic 800 144 335 24 Hours Mon-Sun
Denmark 807 05303 24 Hours Mon-Sun
Estonia 800 0049 093 24 Hours Mon-Sun
Finland 0800 412894 24 Hours Mon-Sun
France 0805 080216 0900-2100 CET Mon-Sun
Germany 0800 1 801 978 0900-2100 CET Mon-Sun
Greece 00800 4922 493 0009 24 Hours Mon-Sun
Hong Kong SAR, China 80 096 7828 24 Hours Mon-Sun
Hungary 800 88202 24 Hours Mon-Sun
India 000 800 050 1531 24 Hours Mon-Sun
Indonesia 0078033218412 24 Hours Mon-Sun
Ireland 1 800 903133 24 Hours Mon-Sun
Israel 1 80 946 7273 24 Hours Mon-Sun
Italy 800 728 023 0900-2100 CET Mon-Sun
Japan 0120 901 011 0900-1800 Japan ST Mon-Fri
Latvia 8000 3590 0800 - 2000 EET Mon-Sun
Lithuania 8 800 00394 24 Hours Mon-Sun
Luxembourg 8002 2870 0900-2100 CET Mon-Sun
Malaysia 1 800 815310 24 Hours Mon-Sun
Malta 800 62784 24 Hours Mon-Sun
Mexico 01 800 099 0742 0900-2100 EST Mon-Sun
New Zealand 0800 359 805 24 Hours Mon-Sun
Peru 0800 78472 0900 - 2100 PET Mon-Sun
Philippines 1 800 1322 0163 24 Hours Mon-Sun
Poland 00 800 1410322 24 Hours Mon-Sun
Portugal 800 180205 1100 - 2300 GMT Mon-Sun
Romania 0800 360147 24 Hours Mon-Sun
Russia 8 800 100 6925 0900-2100 Moscow Mon-Sun
Saudi Arabia 800 8852897 0800 - 2000 AST Mon-Sun
Singapore 800 4922405 24 Hours Mon-Sun
Slovakia 0 800 002 328 24 Hours Mon-Sun
Slovenia 0 806 88804 24 Hours Mon-Sun
South Africa 0 800 980 645 24 Hours Mon-Sun
South Korea 080 822 1429 0900-1800 Korea ST Mon-Fri
Spain 900 905407 0900-2100 CET Mon-Sun
Sweden 020 109326 24 Hours Mon-Sun
Switzerland 0800 561876 0900-2100 CET Mon-Sun
Taiwan 00801 491 196 0900-1800 China ST Mon-Sun
The Netherlands 0800 0228574 24 Hours Mon-Sun
United Arab Emirates 800 0320134 0900-2100 Gulf Mon-Sun
UK 0 808 189 1065 0800-2000 GMT Mon-Sun
USA 1 877 273 9481 0900-2100 EST Mon-Sun
Vietnam 122 80 369 24 Hours Mon-Sun

Email Notification

Marriott began sending emails on a rolling basis on November 30, 2018 to affected guests whose email addresses are in the Starwood guest reservation database.

Starwood Hotels and Resorts Company Logo

Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties (Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, and Vistana) are also included.

Free Web Monitoring Enrollment

Click on your country/region, if listed, to begin the enrollment process.

Marriott is providing guests the opportunity to enroll in web monitoring free of charge for one year. This service monitors internet sites where personal information is shared and generates an alert to the guest if evidence of the guest's personal information is found. Due to regulatory and other reasons, web monitoring or similar products are not available in all countries/regions. Guests from the United States who complete the web monitoring enrollment process will also be provided fraud consultation services and reimbursement coverage for free.

Frequently Asked Questions

These Frequently Asked Questions May Be Supplemented From Time to Time

If you would like to know the specific information about you involved in the incident, please complete this form and we will endeavor to provide you with more information as soon as possible.

Leave a comment

Your email address will not be published. Required fields are marked *

Supportscreen tag