Recent reports indicate that third-party hackers may have stolen guest records from 500 million guests of Marriott’s Starwood hotels.[1] This includes highly sensitive personally identifying information such as credit card numbers and expiration dates, mailing addresses, dates of birth, passport numbers, and email addresses.[2] Marriott has admitted: “We fell short of what our guests deserve and what we expect of ourselves.”[3]


Marriott’s Starwood guest information system has been compromised since at least 2014.[4] Marriott received notice of a potential breach of its Starwood systems in September 2018, but waited until late November to notify its affected customers.[5] As early as November 19, 2018, Marriott was able to determine what information was stolen.[6] Marriott has said that it is working to improve its cyber security system, has established a “dedicated call center” and is sending emails on a rolling basis . . . to affected guests.”[7]


Marriott HotelHacking incidents such as these can have devastating consequences for victims. Companies like Marriott that collect and store customers’ sensitive information know that it is valuable to criminals and know that, every day, people are harmed when their data is stolen. While the theft of credit card information is obviously damaging, “biographical data gained from multiple sources to perpetrate more and larger thefts” presents an even larger, and more persistent, threat.[8] Unfortunately, this is exactly the sort of information that appears to have been lost stolen from Marriott’s Starwood guests.

The Federal Trade Commission has aptly described this identifying information and other financial information as “as good as gold” to identity thieves and hackers.[9] Once your identity is stolen, criminals “can drain your bank account, run up your credit cards, open new utility accounts, or get medical treatment on your health insurance.”[10]  People who are victims of a data breach are extremely more likely to have their identity stolen. One report found that “1 in 4 data breach notification recipients became a victims of identity fraud.”[11]

Criminals that steal personally identifiable information are increasingly sophisticated. They know the chances of success may decrease when hacked companies pay for credit monitoring for their victims. Since these companies will not pay for credit monitoring forever, criminals will sit on stolen information, biding their time until those affected let their guard down. The U.S. Government Accountability office has found that “stolen data may be held for up to a year or more before being used to commit identity theft.”[12] Furthermore, once a victim’s information is made available to criminals on the dark web or other criminal areas, “fraudulent use of that information may continue for years.”[13] This makes monitoring victims’ finances for a year an insufficient remedy.


With the potential devastating and lasting effects of data breaches on consumers, it falls on companies like Marriott to protect that data. They are collecting data of people like you so that they can get and keep your business. In a modern economy, people are certainly willing to provide that information to make for a smoother and easier transaction. However, customers’ often have no option if they want to do business with a company in today’s economy: they must provide their private personal and financial information, and they have absolutely no way of protecting themselves once they surrender it. A company cannot simply mishandle customers’ personal information. That is not part of the deal we strike with electronic transactions.

This is why law firms like Price Armstrong are standing up for victims of data breaches and fighting to get them the remedies and protection they are entitled to.


All trademarks are property of their respective owners.
[1] Massive, extended data breach within Marriott’s hotel empire, Associated Press, Nov. 30, 2018.
[2] Id.
[3] Id. (statement of Marriott CEO Arne Sorenson)
[4] Starwood Guest Reservation Database Security Incident, Kroll, Nov. 30, 2018.
[5] Id.
[6] Id.
[7] Id.
[8] 2014 PCI Compliance Report, Verizon. (hereafter “2014 Verizon Report”), at 54.
[9] Federal Trade Commission Identity Theft Guide
[10]Signs of Identity Theft, Federal Trade Commission.
[11] 2013 Identity Fraud Report: Data Breaches Becomind a Treasure Trove for Fraudsters, Javelin Strategy and Research.
[12] Report to Congressional Requestors, Government Accountability Office, June 2007.
[13] Id.