Marriott data breach: key tips

The Marriott data breach announced on Nov. 30, 2018 is a significant breach, reaching across multiple countries and affecting an estimated 500 million people. The breach includes an array of data that does create the potential for meaningful identity theft risk.

Who does the breach affect? The breach affected guests who booked through Marriott’s Starwood reservation system. The Starwood system is used Marriott hotel properties including Aloft, Design Hotels, Elements, Four Points, Meridien, Sheraton, St. Regis,  Tribute, The Luxury Collection, W Hotels, and Westin. Starwood branded timeshare properties are also affected. Not affected: Marriott hotels including the Residence Inn and the Ritz Carlton were not impacted by this breach because they are currently on a separate reservation system.

Who was impacted and breach notifications: Marriott began sending breach notifications Nov. 30, 2018. According to Marriott, “If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.” Marriott says that the unauthorized access of its Starwood reservation systems began in 2014.

If you think you have been impacted: Marriott is offering WebWatcher for one year free of charge to victims of the breach. WebWatcher scans online for areas where your information may be being sold and traded, and sends alerts. Marriott is currently offering this service to residents of the US, Canada, and the UK. Affected Marriott customers from the United States who enroll in WebWatcher will also be provided with fraud consultation services and reimbursement coverage free of charge.

Note: when you sign up for the WebWatcher service, you will have the opportunity to request that your passport number is monitored, as well as phone numbers and other information.

Here is more information, from Marriott:

Marriott has posted a FAQ page here. 

It is highly likely that more information will become available about what specific information was breached, when. Of high importance is figuring out what guests had their passport numbers breached. If you think your passport number has been affected, strongly consider taking advantage of the WebWatcher service and adding your passport number to be monitored. This is still a developing situation, and WPF will post updates here.

For all breach victims in the US, here are three immediate general steps you can take on your own to begin to address the potential risks the Marriott data breach poses. These steps are apart from signing up for credit monitoring or WebWatcher.

  1. If you have a Social Security Number, set up your online account for your Social Security records. From there, you can then block electronic access to your account if needed.

  2. Put a fraud alert (red flag alert) on your bank accounts, credit accounts, and all financial accounts.

  3. Get a free copy of your credit report from the free service,

How to sign up for a Social Security Administration My Social Security account

The Social Security Administration allows individuals with an SSN to sign up and monitor their Social Security records. It is smart to pro-actively sign up for an account. You want to get that account locked into your name, with your passwords and email associated with it. It makes it much harder for an ID thief to sign up in your place.

After you have an account, if you are concerned about identity theft, you can block electronic access to your Social Security record so that it is much less vulnerable to ID thieves or other snooping. This is a simple but powerful step to take.

Information for US residents about My Social Security accounts : 


How to put a fraud alert on your financial accounts

If you are a victim of the Marriott breach, it is a good idea to be proactive and ask your financial institution to place a fraud alert, sometimes called a red flag alert, on your financial account. This is not the same thing as credit monitoring. A fraud alert can be very helpful protection for people who are victims of a data breach.

You can set fraud alerts for:

  • Bank accounts
  • Savings accounts
  • Credit card accounts

and other financial services accounts.

To find out how to set a fraud alert for your financial institution, you can call your bank or financial service provider and simply ask them to place a fraud alert. Some banks call this a “flash alert,” some call it a “red flag,” some call it a “fraud alert.” It is often helpful to talk to a customer support professional at the financial institution so that you can explain you want to put an alert on all of your accounts, but not close them.

Note that calling to replace credit cards that have been breached is different from placing a red flag alert or fraud alert on your accounts. The fraud alert is not supposed to close your account; it is supposed to let bank or other financial institution employees know that they need to be certain it is you when they take any action or accept phone call instructions regarding your accounts.

More information: 

  • We recommend calling your financial institutions to inquire about placing fraud alerts on your accounts.

How to get a copy of your credit bureau reports (In the US, get a free copy of your credit bureau reports from

For US residents, Congress has mandated that individuals can get one free copy of their credit bureau reports once each year. Now is the right time to get that done. You can go online to the web site, or you can call and make the request. The idea is to keep the reports that you get now as a baseline, so you have something to compare future reports to. Having a baseline report will assist you in spotting new or unusual activity.

If you have not reviewed your credit report before, it may be a lot of information to digest at first. You might not have realized how much information credit bureaus collect about you. There are tools for helping you understand how to read your credit report. Here are two: Credit Report Anatomy, from, and TransUnion Credit Report User Guide from credit bureau TransUnion.

More information for US residents: 

These three steps are not the only steps you can take to reduce your risk from a data breach, but these are three key steps to be proactive about.

Two additional things to keep an eye on for the Marriott breach include:

Passports: To repeat, some passport numbers were breached in the Marriott hack. Not all those guests affected by the breach will have a passport number that was breached, and there is still a lot more information that we need to know about what customers were affected. If you think your passport number was breached, this is an important issue to follow up on with Marriott. A breached passport number, especially in combination with the rest of the personal information involved in the breach, is an identity theft risk. Remember, if you are a resident of the US, UK, or Canada, you have the option of signing up for WebWatcher service and including your passport number for monitoring.

Filing tax returns early in 2019: Even though it is now past tax season for 2018, the FTC generally recommends that you complete and file your taxes early. This is to prevent scammers from using your identity information to file early and receive your refund.

Publication information:

Author: Pam Dixon, Executive Director

Original publication date: 30 Nov. 2018