How to Handle the Marriott Breach

Marriott announced last week that as many as 500 million of their Starwood Guests had their customer data exposed. In this post I’ll go over what we know about the Marriott breach, what you can do about it, and how to mitigate damage from the inevitable future breaches.

Details of the Marriott Breach

Here are the key excerpts from the announcement:

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. … Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information.

Marriott …believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted. There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

Who Was Affected by the Marriott Breach?

By any standard, the Marriott Breach was massive. Basically, if you stayed at any Marriott property in the last five years, your data may have been leaked. These properties include Starwood branded timeshare properties, W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Marriott is supposedly emailing affected customers, though I’ve stayed in several of these hotels in that time frame and I have not been notified. At this point, if you’ve been a guest at one of these places, I would assume you are affected.

What You Can Do

Below are some specific tips for dealing with this (and most other) data breaches.

Beware of scams!

Whenever there is a massive breach like this, other bad guys swoop in to take advantage of the chaos and fear. You may get phone calls or emails or even regular mail scams that entice you with bogus help or scare you with false claims. Your main source of information will be (which currently redirects to

Change your password, use 2FA

If you have a Starwood Preferred Guest account, log in and change your password. If you used that password on any other online accounts, change those passwords, as well. Use a new, strong, random, unique password in all cases. The only way to reliably do that is by using a password manager. I personally recommend LastPass, but other good options include 1Password or DashLane. You should also use two-factor authentication on your most important online accounts (financial, medical, social).

Freeze your credit report

You should freeze your credit with all three major credit bureaus. It’s a pain to do this, but at least it’s now free everywhere in the US. This will require you to ‘thaw’ your report whenever you need new credit. That includes getting a loan, credit card, or any financing. Credit reports are also used when applying for a job, signing up for utilities or cell phone service. But it’s frankly the best way to guard against crippling identity theft. If you can’t bring yourself to do this, then at least sign up for a fraud alert.

Watch your accounts, order reports

Keep an eye on your financial accounts for fraudulent activities. If you haven’t already, mark your calendar to order your free annual credit reports every year. Since there are three major credit bureaus, I would order one from each agency every four months. For example: Experian in January, Equifax in May and TransUnion in September. Use the official site only:

Final thoughts

If your identity is stolen, head to the web site to learn what you can do to mitigate the damage.

Marriott is offering affected customers a free year’s subscription to Web Watcher. All this will do is tell you if your info shows up on some shady websites. But it’s free and if it makes you feel better, you can sign up. Be sure to set a reminder in 11.5 months to stop the service before they charge you for next year.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top