Department of Commerce and Consumer Affairs

DEPARTMENT OF COMMERCE AND CONSUMER AFFAIRS

OFFICE OF CONSUMER PROTECTION

DAVID Y. IGE

GOVERNOR

Catherine P. Awakuni Colón

DIRECTOR

STEPHEN H. LEVINS

EXECUTIVE DIRECTOR, OFFICE OF CONSUMER PROTECTION

 

FOR IMMEDIATE RELEASE
November 30, 2018

Marriott Security Breach Exposed Data of  Starwood Hotels and Resorts Guests

HONOLULU – The State of Hawaii Office of Consumer Protection (OCP) is warning consumers who stayed at a Starwood hotel or timeshare as far back as 2014 to take steps to protect themselves from identity theft in view of a data breach exposing the personal information of up 500 million guest accounts worldwide.

Marriott, owner of Starwood Hotels and Resorts, announced today that its system has been compromised through the unauthorized access of Starwood Hotels’ guest reservation system. The breach has exposed passport numbers, mailing addresses, phone numbers, birthdates, and Starwood Preferred Guest account information.  Marriott has also stated that some guests may have had their credit card and payment card numbers stolen.

“We’re extremely concerned about the enormity of this breach and have opened up an investigation to determine its cause and impact on consumers. If companies are going to ask for our personal information it’s imperative that they implement strong safeguards to protect us from breaches,” said Stephen Levins, executive director of the State of Hawaii Office of Consumer Protection.

Starting today, Marriott will begin sending emails on a rolling basis to affected guests who have shared their email addresses with Starwood. The email will not contain any attachments or request any information from the guest, and any links will only bring the guest to Marriott’s webpage dedicated to providing information regarding the data security incident involving the Starwood guest reservation database. The website is https://answers.kroll.com.

OCP cautions consumers to stay vigilant as they look for this email because malicious actors may pose as Marriott to trick guests into providing personal information about themselves through fake websites (phishing) or by impersonating a trusted individual. Marriott has indicated that the email will come from the following email address: [email protected].

Personal information exposed in data breaches can make its way to the black market, where it can be bought and used by scammers to execute a variety of attacks on individuals including identity theft and targeted email phishing schemes. As such, the OCP recommends consumers do the following to protect themselves:

• Check your credit reports from Equifax, Experian, and TransUnion and look for any unauthorized entries or accounts. Consumers can request a free credit report from each of the credit reporting agencies at www.annualcreditreport.com;
• Place a free credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name.
• If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you;
• Change your login information on accounts with the affected company. If you used that same username and password on other sites, change those too;
• Consider placing alerts on your financial accounts so your financial institution alerts you when money above a pre-designated amount is withdrawn;
• Beware of potential phishing emails; don’t open email messages or attachments from unknown senders and do not click on any unknown links. Fraudsters will frequently send coercive and misleading emails threatening account suspension or worse if sensitive information is not provided;

• Remember, businesses will never ask customers to verify account information via email or phone. If in doubt, contact the business in question directly for verification and to report phishing emails and phone calls; and
• Be on the lookout for spoofed email address. Spoofed email addresses arethose that make minor changes in the domain name, such as changing the letter O to the number zero, or lowercase letter I to the number one. Scrutinize all incoming email addresses to ensure that the sender is truly legitimate.

Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Mérdien Hotels & Resorts, Four Points by Sheraton, Design Hotels that participate in Starwood Preferred Guests Program, and any Starwood branded timeshare property. The affected hotel brands operated by Starwood in Hawaii include well-known properties such as the Royal Hawaiian, Sheraton Waikiki, Moana Surfrider and the Ritz-Carlton Residences, Waikiki Beach. Marriott branded hotels were not affected.

# # #

Media Contact:

William Nhieu
Communications Officer
Department of Commerce and Consumer Affairs
Email: [email protected]
Phone: (808) 586-7582