If you stayed at one of Marriott's Starwood hotels in recent years, hackers might have information on your address, credit card and even your passport. Some of this can be used for identity theft, as hackers create bank and other accounts under your name.
Marriott says the breach affected about 500 million guests, though it's possible the records could include a single person who booked multiple stays. Marriott says the unauthorized access had been taking place since 2014 and was only recently discovered. It's possible the data include hotel stays going further back.
How can you tell if you've been affected, and what can you do if you are?
Here are some things to know:
The breach affects only the hotel brands operated by Starwood before Marriott bought it in 2016. The brands include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties are also affected. Marriott-branded chains aren't affected, as data on those stays are on a different network.
Marriott says the breach affected reservations at Starwood properties through Sept. 10, 2018. That could include reservations made for a future stay.
AM I AFFECTED?
Marriott says it began sending emails to affected guests on Friday. Be careful, though, when you receive an email about this breach, as hackers may be using the incident to dupe you into providing passwords or installing malicious software. If you get such an email, it's best to go directly to a website Marriott has set up on this breach: https://answers.kroll.com . There, you can find information and phone numbers to call. For U.S. guests the number is 877-273-9481.
WHAT SHOULD I DO?
Marriott is offering free one-year subscription to a monitoring service, WebWatcher. This service monitors websites where stolen information is shared. If your details are found, you'll get an alert. It's available only for guests from the U.S., Canada and the U.K. U.S. residents are also eligible for consultation with a fraud specialist and reimbursement for legal and other expenses related to identity theft.
Though Marriott doesn't know yet whether hackers got all the keys to unlock encrypted credit card data, the company says it's quite possible they did. You should review your credit card statements for unauthorized activities.
In the U.S., you can also request free credit reports from Equifax, Experian and TransUnion. These reports may reveal accounts opened under your name.
MY INFORMATION HAS ALREADY BEEN HACKED. WHY SHOULD I WORRY NOW?
Hacks involving retailers and other businesses are usually limited to names, email and physical addresses and passwords. In some cases, payment cards are also stolen, meaning you need to replace your card and update all the services with auto payment enabled.
For about two-thirds of the 500 million Starwood guests affected, hackers may also have the date of birth and gender, which can contribute to identity theft.
Hackers also got passport numbers on this group of guests if the hotel had them. This might be the case with stays outside the U.S., where a U.S. driver's license isn't always accepted as identification. In the U.S., your passport number does change when you renew, but that might not be for years. The good news is that criminals often need the actual passport to do anything with your number.
The database may have details on future stays, including arrival and departure dates, along with your home address. Burglars could figure out when you'll be away. Ask a friend or neighbor to check your home, or arrange a house sitter.
WHAT SHOULD I DO IN THE FUTURE?
There's not much you can do to prevent such hacks, but you can mitigate the damage.
For starters, consider using a credit card rather than a debit card, as credit cards typically offer more protections against losses.
Even if you weren't affected in this breach, request the free credit reports anyhow. After all, they are free. Details are at the Marriott website. Check the website haveibeenpwned.com to see if your information has been stolen in other breaches.
And think twice when businesses ask you for personal information. Does the hotel really need your date of birth? Perhaps the information is requested for loyalty programs that might give you free stays — but nothing's really free, and your data has value to both the hotel and potential hackers.
Mae Anderson contributed to this report.