Hotel data hack hits up to 500 million guests

The incident affects customers who made reservations at Starwood hotels on or before 10 September 2018.

The Starwood hotel brands include: Aloft Hotels, Design Hotels, Element Hotels, Four Points by Sheraton, Le Méridien Hotels & Resorts, Sheraton Hotels & Resorts, St. Regis, The Luxury Collection, Tribute Portfolio, W Hotels and Westin Hotels & Resorts. Starwood-branded timeshare properties are also included. The hack does not affect those who booked with a Marriott-branded hotel.

About 327 million of the affected customers are thought to have had details compromised including names, addresses, phone numbers, dates of birth, as well Starwood customer details such as departure and arrival information and reservation dates.

Some may also have had payment details such as card numbers and expiration dates accessed – while these are protected by encryption, Marriott is unable to rule out the possibility that the information needed to decrypt them may have also been taken.

The remaining affected customers have had their names accessed, and in some cases other information including email and home addresses.

We've asked Marriott how many UK customers have been affected and will update this story when we know more.

What happened?

Marriott says it discovered the breach on 8 September this year, but found there had been unauthorised access to its Starwood network since 2014.

On 19 November, Marriott decrypted the information that had been copied during the breach and found it was from the Starwood guest reservation database.

It says it has reported the incident to the relevant authorities.

How can I tell if I'm affected?

Marriott says it will begin sending emails to affected customers who are on the email database on a rolling basis from today (30 November).

If you're concerned, you can also go to its dedicated help website or phone the UK help centre on 0808 189 1065.

Marriott says it will be offering affected customers a free one-year enrolment to WebWatcher, a service which monitors internet sites where personal information is shared, and alerts customers if their information is found.

You can also take the following steps to minimise the risk of being hit by fraud (see our 30+ Ways to Stop Scams guide for full help):

• Check your bank or credit card transactions regularly. If you spot any unfamiliar or unusual activity, make sure you contact your bank immediately and let it know.

• If worried, demand a new card. Banks and credit card firms often take different approaches, but if yours isn't routinely replacing cards affected by this breach, you can ask for a replacement card anyway.

• Beware of 'phishing scams'. Criminals may attempt to use the news of the data breach as an opportunity to trick people affected into revealing information. Remember that no bank or any other genuine organisation will contact you out of the blue to ask for details such as your PIN or banking password, and beware of clicking on any links in text messages or emails.

• Change your login password. And if you use that password elsewhere, make sure you change it there too. It's good practice to use different passwords – see our Password Security guide for more help.

• See if your card provider lets you get payment notifications. Some card providers, such as American Express, allow you to get notifications on your phone or tablet every time a payment is made on your card. This way, you can see instantly when a payment goes out if it's one you aren't expecting.

What does Marriott say?

Marriott's president and chief executive Arne Sorenson said: "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."