SPG Data Breach: You Can Now Check If Your Data Was Stolen (Results Sent Out)

Update 3/13/19: Results of checking if your data was stolen are now being sent out. Hat tip to reader Dan W

Back on November 30th, 2018 Marriott revealed that SPG reservation systems were breached with ~500 million guests data stolen (since downgraded to 383 million unique guests), some of this information included payment and passport data. Months later it’s now possible to find out if your data was stolen or not (technically Marriott was supposed to already inform you but in some cases contact details are either incomplete or inaccurate).

I have a few issues with how Marriott is handling this:

  • The process is being completed by security firm OneTrust, as such the actual form is not on the Marriott/SPG website. Marriott really shouldn’t be encouraging customers to enter this level of sensitive information on a third party website.
  • The breach was first reported in November of last year, why has this process taken so long?
  • I don’t think Marriott has been pro-active enough in informing customers. In some cases there is incomplete information but it’s still accurate (e.g the e-mail might be inaccurate but the phone number works)

It’s also worth pointing out that the checker isn’t instant, you’ll need to wait for a response. Personally there is no way I’m giving potentially even more sensitive data to a third party to check if my data was breached.

Hat tip to Tech Crunch

Subscribe
Notify of
guest

35 Comments
newest
oldest most voted

SF
SF (@guest_734843)
March 14, 2019 14:07

I was expecting a reply the same day I submitted this form lol

dan
dan (@guest_734524)
March 13, 2019 21:47

What is the subject line of the email conifrming that your information was breached?

Drew R
Drew R (@guest_734567)
March 13, 2019 23:18

Sender: [email protected]
Subject: “(Request ID: ######) Your Privacy Request needs action”

The # will have a unique code that resembles an airline booking reference ID

doc
doc (@guest_734462)
March 13, 2019 19:31

This is nuts. “Enter your data into another random site to see if your data is breached!”

I’ll pass, thanks.

Dave
Dave (@guest_734447)
March 13, 2019 19:10

I went through the sign-up process for Kroll’s Web Watcher Monitoring (via info.starwoodhotels.com). My initial 32 character password was rejected as “too long”, as was a 16 character attempt – 12 characters is apparently enough in the eyes of these muppets.

sloebrake
sloebrake (@guest_734492)
March 13, 2019 20:34

Out of the 4+ or so ID protection companies that I’ve been gifted memberships to Kroll was one of the worst.

Their reporting of hard pulls and new accounts was so variable, and in some cases longer than a week, that I actually thought someone finally did use the stolen data.

Drew R
Drew R (@guest_734343)
March 13, 2019 15:18

Filled out this form 2/16, just got a response today:

Dear [name],

We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident. Based on the information you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:

* Name

* Birthdate

* Birthday (Month and Day Only)

* Address Information

* Primary Email Address

* Primary Phone Number

* Other Phone Information

* Credit Card Expiration Date

* Credit Card Type

* Encrypted Credit Card Number

* Starwood Preferred Guest (SPG) Number

* Starwood Preferred Guest (SPG) Loyalty Status and Balances

* Guest Frequent Traveler Program Information

* Starwood Executive Traveler Number

* Guest Opt-In Preferences

* Email Communication Preferences

* Reservation Details

* Central Starwood Unique Record Locator

* Employed at Starwood (Y/N)

* Record History Information

Where available in your country/region, Marriott is offering affected guests the opportunity to
enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com. If you have further questions or requests regarding this information, please contact us through this
portal. You will continue to have access to this request for the next 30 days.

Thank you.

Marriott Privacy Center

Joe
Joe (@guest_734446)
March 13, 2019 19:08

I got basically the same thing. Truly pathetic.

Oh – and I blame Marriott at this point. But good job trying to pawn it off on SPG.

Mine also had “Guest Frequent Traveler Program Information.” I hope that isn’t FF#s for linked programs.

Kevyx72
Kevyx72 (@guest_734512)
March 13, 2019 21:15

Got the same + credit card number and expiration date. Such a long list

Drew R
Drew R (@guest_734564)
March 13, 2019 23:14

Yea, and I can’t imagine how many people put in their newly merged Marriott number and got an email saying their info was not hacked when it actually was. To be sure I filled out the form twice, one with my old SPG number and one with my SPG/Marriott merged number. The first response said my information was hacked, the second said it wasn’t.

Josh
Josh (@guest_723595)
February 17, 2019 14:15

LOL they couldn’t host/cname under their own domain and HTTPS cert? Wow

Shawn C
Shawn C (@guest_723530)
February 17, 2019 03:58

PSA: Your new marriott number is not what they want in the form. To find your original SPG number, you should search for an email titled “Welcome to Starwood Preferred Guest”
and it will have your old SPG number.

Debit
Debit (@guest_723502)
February 17, 2019 00:25

Nothing will happen if you don’t go to your Congress person’s townhall and bring up the issue. Should doc setup a separate page where people comment which Congress person they have told that USA should have data protection along the lines of GDPR. Or the whores in Congress will keep selling their souls for campaign contributions from corporate.

MoreSun
MoreSun (@guest_723494)
February 16, 2019 23:41

ROFL. Nobody can top Marriott like Marriott. It’s an art form really.

Mike Advantage
Mike Advantage (@guest_723478)
February 16, 2019 22:27

When and how do I get my compensation for this breach of my data?

U.S government won’t hold any of these companies responsible. Thanks