Security Breach Exposed Data of Starwood Guests

The State of Hawai‘i Office of Consumer Protection (OCP) is warning consumers who stayed at a Starwood timeshares, hotels and resorts as far back as 2014 to take steps to protect themselves from identity theft in view of a data breach exposing the personal information of up 500 million guest accounts worldwide.

Marriott, owner of Starwood Hotels and Resorts, announced  that its system has been compromised through the unauthorized access of Starwood Hotels’ guest reservation system. The breach has exposed passport numbers, mailing addresses, phone numbers, birthdates and Starwood Preferred Guest account information. Marriott has also stated that some guests may have had their credit card and payment card numbers stolen.

“We’re extremely concerned about the enormity of this breach and have opened up an investigation to determine its cause and impact on consumers,” said Stephen Levins, executive director of the State of Hawai‘i Office of Consumer Protection. “If companies are going to ask for our personal information it’s imperative that they implement strong safeguards to protect us from breaches.”

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

Marriott will begin sending emails on a rolling basis to affected guests who have shared their email addresses with Starwood. The email will not contain any attachments or request any information from the guest, and any links will only bring the guest to Marriott’s webpage dedicated to providing information regarding the data security incident involving the Starwood guest reservation database. The website is https://answers.kroll.com.

OCP cautions consumers to stay vigilant as they look for this email because malicious actors may pose as Marriott to trick guests into providing personal information about themselves through fake websites (phishing) or by impersonating a trusted individual. Marriott has indicated that the email will come from the following email address: [email protected].

Personal information exposed in data breaches can make its way to the black market, where it can be bought and used by scammers to execute a variety of attacks on individuals including identity theft and targeted email phishing schemes. As such, the OCP recommends consumers do the following to protect themselves:

• Check your credit reports from Equifax, Experian, and TransUnion and look for any unauthorized entries or accounts. Consumers can request a free credit report from each of the credit reporting agencies at www.annualcreditreport.com;
• Place a free credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name.
• If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you;
• Change your login information on accounts with the affected company. If you used that same username and password on other sites, change those too;
• Consider placing alerts on your financial accounts so your financial institution alerts you when money above a pre-designated amount is withdrawn;
• Beware of potential phishing emails; don’t open email messages or attachments from unknown senders and do not click on any unknown links. Fraudsters will frequently send coercive and misleading emails threatening account suspension or worse if sensitive information is not provided;
• Remember, businesses will never ask customers to verify account information via email or phone. If in doubt, contact the business in question directly for verification and to report phishing emails and phone calls; and
• Be on the lookout for spoofed email address. Spoofed email addresses arethose that make minor changes in the domain name, such as changing the letter O to the number zero, or lowercase letter I to the number one. Scrutinize all incoming email addresses to ensure that the sender is truly legitimate.

Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Mérdien Hotels & Resorts, Four Points by Sheraton, Design Hotels that participate in Starwood Preferred Guests Program, and any Starwood branded timeshare property. The affected hotel brands operated by Starwood in Hawai‘i include well-known properties such as the Royal Hawaiian, Sheraton Waikīkī, Moana Surfrider and the Ritz-Carlton Residences, Waikīkī Beach. Marriott branded hotels were not affected.