Marriott’s representatives confirmed that an unauthorized party hacked into Starwood’s division database. An international investigation revealed that hackers had accessed the database as early as 2014.

This means, for almost 5 years the hotel chain had no idea it was compromised. It’s possible, that hotel’s WiFi access was hacked as well.

As reports claim, for about 327 million of the guests, the information includes:

    • some combination of a name
    • mailing address
    • phone number
    • email address
    • passport number
    • account information
    • date of birth
    • gender
    • arrival and departure
  • some records also included encrypted payment card information

“We deeply regret this incident happened. […] The company has already begun notifying regulatory authorities,” Marriott said in a statement. It said an internal investigation found an attacker had been able to access the Starwood network since 2014. UK’s Information Commissioner’s Office later confirmed that they received a data breach report from Marriott.

This hotel brand includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. However, Marriott-branded hotels may not have been affected because they use a separate reservation system on a different network.

The hotel chain has set a website to provide customers with more details concerning the incident, to answer questions and answer what steps the breach victims should take.

How to Secure Your Data

It’s disappointing, yet, a common practice that companies try to hide data breaches. Some of them, as Uber did, even pay hackers to keep the breaches secret.

In Europe, under GDPR, if customers’ sensitive data was affected during a cyber-attack, firms must notify them directly not later than 72 hours after having become aware of it. Failing to do that will result in serious fines.

While people get the so-called data breach fatigue, hackers get more and more creative. It has never been so critical to protect your data.

Just make sure that:

Use a VPN while connected to hotel’s WiFi networks. Because hackers possibly hacked WiFi access, it’s essential to encrypt your data while using one. So even if somebody’s listening to the network, they can’t see what you’re up to online. 

Try registering using fake name and surname

If it’s possible, pay for the reservation in cash

– If your registration requires a password, avoid using a password which you use anywhere else.

This article was originally published: 30 November 2018

Updated: 3 December 2018

Get Surfshark for $1.99/mo

30-day money-back guarantee with every plan