Marriott Data Breach: The Numbers Don’t Add Up

Dec 7, 2018

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Just a week ago we learned about one of the largest data breaches in recent memory in the travel industry. Marriott announced that as many as 500 million guests at Starwood hotels were affected, in a hack dating back to 2014.

In the case of about 327 million guests, the hackers took “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preference,” Marriott said.

However, Marriott didn’t clarify how many (if any) of the “guests” could potentially be duplicates. As we discussed the matter at TPG, it became clear that many of our own staff members were part of the affected group, as virtually all of us had stayed at SPG properties in recent years. The program promised to begin reaching out to affected customers on Friday Nov. 30, but today, a week after the breach was made public, very few TPG staff members had actually been contacted personally by Marriott.

Looking Deeper at the Numbers

Of course, an informal office poll gives a very small sample size, so we decided to poll our 47,000 TPG Lounge members on Facebook. The numbers just don’t add up for us. At the time of publication, over 95% of respondents say that they stayed at a Starwood hotel during the affected period but haven’t been notified personally by Marriott yet.

There are reports of class action lawsuits, and some TPG Lounge members are choosing to stay elsewhere.

Marriott said that it became aware of the breach two months ago. It’s been a week since it announced the breach to the public, so why haven’t more members been contacted directly? When we asked, Marriott provided us with the following statement:

“We provided information on November 30, 2018 through multiple channels including our websites, our Apps, a press release, social media and a dedicated website to assist guests about this incident. We also began sending emails on a rolling basis starting on November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.  Anyone who made a reservation on or before September 10, 2018 at a Starwood property and believes they may be impacted should go to for more information.”

It’s unclear from the answer whether Marriott actually intends to contact all guests with an email address on file. The affected TPG staff all have email addresses associated with their Marriott loyalty accounts. TPG Lounge members are active, engaged members of loyalty programs, and it stands to reason the vast majority has a valid email address on file with SPG and Marriott.

Two TPG staffers did receive emails from Marriott, which however largely replicate the same text as the press release from last week. In it, Marriott acknowledges there were two levels of breach. While roughly 327 million guests may have had a very significant amount of information compromised, the remainder of the guests had a smaller amount of data exposed (“limited to name and sometimes other data such as mailing address, email address, or other information” according to Marriott).

At the time of the SPG acquisition in 2015, Marriott had roughly 54 million members while SPG was just under half the size at 21 million members. While these numbers have likely fluctuated over the last few years, and certainly included some duplicates,  the 21 million legacy SPG members should represent a decent percentage of the affected customers. In my case, I had approximately 200 unique stays during the period the breach is supposed to have covered. I would expect thousands, if not millions, of loyal SPG members to have a similar pattern during that time period.

Yet, so many of us have not been contacted. While there may be several different reasons for that, two rise to the top as most likely:

  1. Marriott really isn’t 100% sure which customers were affected yet. The company has an initial list of people it thinks with a high degree of confidence were affected, and it emailed them. For people they’re unsure of, they’ve chosen to hold off on more detailed notification.
  2. Marriott just doesn’t see the value in sending emails directly to all affected customers, figuring the broad approach of press releases and a small header on the website are sufficient.

I think it’s much more likely Marriott is still unsure of who’s affected. I took a quick peek and I’ve received 10 marketing emails from SPG (via a Marriott domain) over the past 30 days. They’re definitely not shy about sending emails. I understand the need to batch emails if you have many millions to send. However, it stands to reason they would have made much more progress contacting customers in a week than they seem to have made.

Data breaches are complex problems. Corporations like Marriott spend millions of dollars to prevent them and many more millions dealing with the aftermath of a breach. It’s understandable that Marriott may not have all the answers. After two months, though, it seems like they should have more information than they’ve shared with us thus far.

This opinion is shared by Israel del Rio, a former SVP of Technology Solutions at Starwood Hotels & Resorts, whom we interviewed earlier this year for our analysis of the program integration earlier this year. We reached out to him for his thoughts and received the following response regarding the data breach:

“Marriott has yet to provide all necessary information to make sense of what happened. It appears that the breach occurred with the Data Warehouse; not the reservation system itself, and as such, the Data Warehouse would have historical records going back several years. Any suggestion that the breach must have occurred since 2014 because some of the stolen data were bookings from 2014 would be questionable.

Ideally, Marriott would disclose more details about the breach: Confirm in what system it took place, when they detected it and how it was detected, how do they think the breach occurred, etc.”

Reports are starting to emerge that Chinese hackers may be behind the breach, but there are still numerous outstanding questions.

Bottom Line

Marriott commented frequently during the integration process with Starwood how passionate the SPG loyalty members were. They must understand the importance of preserving that relationship by handling this data breach as well as possible. That’s what makes their reaction so puzzling.

Until we have more information, the best thing you can do is make sure you protect yourself and your information. We’ve outlined some of the best ways to do that. At a bare minimum, change your password to something unique immediately.

If you think your passport has been compromised, you may have options. After calls from Congress to do more to protect their members, Marriott has said they will cover the cost of a new passport if it’s proven that your current one was compromised as part of the breach.

When you consider the information hotels typically come in contact with, hackers could have a very clear picture of your identity. Credit cards, passports, full names, date of birth and contact info is enough data to cause havoc with your identity. That’s what could make this one of the largest — and most costly — breaches of personal data we’ve ever seen.

Featured image by

This story originally stated, incorrectly, that no class-action lawsuits have been filed after the data breach. The story has been corrected.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.