Our data breach lawyers have filed a class action lawsuit concerning the hack of Starwood’s reservations system, compromising the personal information of 500 million customers. Our Marriott Starwood data breach class action lawsuit alleges that Marriott and Starwood knew that they were at risk of a cyberattack, but did not take the threat sufficiently seriously. The complaint lists numerous reasonable security measures that Starwood did not have in place to protect its databases.
Marriott first announced on November 30, 2018, that its Starwood reservations system was hacked, and the information stolen included passport numbers and credit/debit card information.
The hacked Starwood database reportedly contained personal information of people who stayed at a Starwood, Sheraton, Westin, or St. Regis hotel in the last four years, and possibly beyond.
Update: January 4, 2019 | Marriott announces that only 328 million guests’ information and 25.5 million passport numbers were stolen in the Starwood data breach. Of those, Marriott says 5.25 million passport numbers were stored unencrypted when the hackers accessed them.
Class Action Lawsuit: Starwood and Marriott Failed to Implement Reasonable Security Measures
Our Starwood data breach lawsuit alleges that Starwood failed to adopt several cybersecurity measures that could have potentially stopped the hackers in their tracks, such as:
- Performing reasonable audits of their security controls
- Implementing proper monitoring and alerting systems to detect and notify cybersecurity staff about cyber-intrusions
- Adequately protecting payment card “keys” that were intended to protect consumers’ credit card information.
Marriott Announces Massive Starwood Data Breach in Late 2018
USAToday reports that the Starwood data breach may have affected customers who made reservations as long as 4 years ago, or beyond. The hackers reportedly had access to Starwood’s computer systems, without being caught, for 4 years, USAToday reports.
Cybersecurity expert Brian Krebs reports that the hackers encrypted the stolen data, likely to avoid detection by “data loss prevention” (DLP) technology. Marriott is still in the process of decrypting the data set, reports Krebs, so the hotel chain is still unsure of the full extent of the breach. Marriott believes, at this time, that 500 million customers are affected.
But it could be more. In the Yahoo and Equifax data breaches, the number of affected customers kept expanding as the companies kept investigating.
What information was stolen in the Marriott Starwood Data Breach?
According to the Marriott/Starwood data breach website, the hackers stole information of up to 500 million customers from a Starwood reservations database containing personal information from anyone who stayed at a:
- Starwood hotel,
- Starwood timeshare,
- W Hotels,
- St. Regis hotel,
- Sheraton Hotels & Resorts,
- Westin Hotels & Resorts,
- Element Hotels,
- Aloft Hotels,
- The Luxury Collection hotel or resort,
- Tribute Portfolio hotels & resorts,
- Le Méridien Hotels & Resorts,
- Four Points by Sheraton, and
- Design Hotels.
This group of hotels is sometimes called the SPG collection, a reference to the Starwood Preferred Guest program.
According to Marriott, 327 million SPG customers and Starwood guests had the following information compromised: name; address; email; phone number; passport number; SPG account information; date of birth; gender; and travel itinerary.
For some Starwood, Sheraton, Westin, and St. Regis guests, their credit or debit card numbers were also stolen. As creditcards.com explains:
If you made a reservation at a Marriott Starwood hotel on or before Sept. 10, 2018, it’s possible your credit card information is in the hands of hackers.
How do I know if I'm affected by the Marriott Starwood data breach?
According to Marriott’s data breach notification website (“info.starwood.com”), the company started sending emails on a “rolling basis” starting on November 30, 2018, to notify affected guests.
Because the notifications are going out on a rolling basis, just because you haven’t received an email does not mean you aren’t affected. Marriott may send you a breach notification email at a later date.
The notification emails are being sent to the email addresses that Marriott has on-file in its Starwood guest reservation database.
Marriott also says that you may be able to phone their call center to figure out if you were affected by the Starwood data breach (but you may not get through due to high call-volume). Marriott says the call center numbers for the Starwood breach are:
|United Arab Emirates||8000-3201-34|
What is Kroll?
Marriott has reportedly hired a firm called Kroll to handle its data breach response. Marriott has reportedly retained Kroll to run its data breach notification website and to provide an identity monitoring service called “WebWatcher,” which it says “monitors internet sites where personal information is shared and generated an alert to the consumer” if there is evidence that the consumer’s personal information is being shared illegally. Kroll says its WebWatcher service also provides free fraud consultation services and free fraud reimbursement insurance coverage. Marriott says that it is providing WebWatch to its guests for free for one year.
Kroll’s WebWatcher service is not to be confused with the WebWatcher application, which is an app that parents can use to monitor their children’s text messages, website visits, call log, and GPS.
Kroll says that U.S. residents can sign up for the free year of identity monitoring by going to “answers.kroll.com/us/index.html”.
Are SPG members affected by Marriott's Starwood data breach?
Marriott has announced that Starwood Preferred Guest (SPG) account information was compromised as part of the breach. The Starwood data breach website, run by Kroll, recommends that SPG members:
Monitor your SPG account for any suspicious activity
Kroll also recommends that you “[c]hange your password.”
Our SPG/Starwood Data Breach Attorneys
Our Data Breach Lawsuit Experience
Our attorneys served in a court-appointed leadership role in the Anthem data breach class action, and helped achieve a $115 million settlement for victims of the Anthem data breach. The settlement received final approval from the court in August 2018.
Our data breach lawyers also currently serve in court-appointed leadership positions in the Equifax data breach lawsuit, Banner Health data breach lawsuit, and Excellus Health data breach lawsuit.
We’ve also achieved landmark results in our past data breach cases, including the Adobe data breach litigation, UCSF data breach lawsuit, and Health Net of California data breach litigation.