News & Events


Marriott recently revealed that its Starwood guest reservation database has been subject to unauthorised access “since 2014”.
The scope of the data breach is huge, covering nearly five years and approximately 500 million guests.

Who’s affected?
The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk:

If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.

According to Marriott, its Starwood brands include:

  • Starwood branded timeshare properties
  • W Hotels
  • St. Regis
  • Sheraton Hotels & Resorts
  • Westin Hotels & Resorts
  • Element Hotels
  • Aloft Hotels
  • The Luxury Collection
  • Tribute Portfolio
  • Le Méridien Hotels & Resorts
  • Four Points by Sheraton and
  • Design Hotels.

What data is at risk?
It seems that different guests may be subject to different levels of exposure, according to how much data they shared.

Information put at risk by the breach includes “some combination of” name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, payment card numbers and payment card expiration dates.

Although payment card numbers were encrypted, thieves may have stolen the information required to decrypt them.

What Should I Do?
If you have used one of the hotel brands above:

  • Change your password to the Marriott / Starwood websites
  • If you think you may have reused the same password on other sites (dangerous practice) change those passwords to different, strong, unique passwords.
  • Review your payment card account statements for unauthorised activity and immediately report unauthorised activity to the bank that issued your card.
  • Be very aware for fake, phishing emails about the attack. These breaches are seen by criminals as a great opportunity to get users to go to malicious websites, download documents etc. the only legitimate address from the company on this subject is

As at time of writing, the breached database is not able to be checked via the usual data breach notification websites such as haveibeenpwned. The identity of whoever had access to the reservation database hasn't been revealed, or else remains unknown. Over the next few months, investigators will try to figure out where the data may have ended up.

Underground marketplaces on the so-called dark web are the go-to place to sell stolen data, but it doesn't appear the Marriott data is being offered just yet. However, the public revelation of a breach can cause hackers to try to monetise data, particularly stolen payment card numbers, before issuers cancel cards that have a high potential of being used for fraud.

RiskNZ and Cybercraft hope the above information is useful to you in assessing your risk of data loss and adapting steps within that consideration.
If you desire more information, please don't hesitate to write to