Up to 500 million guests of the hotel chain Marriott may have had their data stolen in a security breach, the company announced on Friday.
For some 327 million of those guests, the stolen information includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” according to the chain.
The data breach, which involved a reservation database at Marriott’s Starwood unit, is unprecedented in size and scale.
Here’s what to do if you are worried your information has been compromised.
I’m a Marriott customer. How will I know if I’m affected?
Marriott began sending out messages on a rolling basis to affected customers on Friday to the email addresses associated with compromised accounts. Check those email addresses regularly — and be aware that you may not receive notification immediately, as it takes time to send 500 million emails.
Okay, so my account is involved. What should I do now?
Marriott says affected customers should monitor their accounts and bank statements for suspicious activity. More information can be found on its advice page for people affected by the breach.
It also warned of the risk that hackers could use information exposed by the data breach news to mount “phishing” attacks, in which people pretending to be someone they’re not trick you into giving them other valuable information, like credit card numbers.
Marriott said breach notification emails would only come from the address “starwoodhotels@email-marriott.com,” and that those emails would not contain attachments or requests for personal information, including passwords.
It would also be wise for you to change any passwords for other services that you know to be the same as the one you used for Marriott accounts.
Anything else?
Yes. As part of its response to the data breach, Marriott has set up a way for all guests to sign up to WebWatcher for free for one year. That site alerts you if your personal information is being shared on dodgy websites. U.S. users will also be eligible for compensation through the site if money is lost.
However, it’s not clear whether that compensation will be applicable to misuses of data that might occur after a year is up, or whether non-U.S. citizens will be able to obtain compensation.
Are there any bigger steps I can take?
That depends on your rights.
In the U.S., data protection law varies state by state. But if you believe you have suffered because of the breach, you should contact the Federal Trade Commission (FTC) and the Attorney General of your state. You should also file a police report if you believe crimes have been committed.
On the FTC website, you can file a complaint against a company and report identity theft.
These measures may be a useful first step in proving your case if a class action lawsuit is set up in the future. A police report will also be helpful evidence to provide to correct your credit score if it suffers because of the breach.
What if I live in the European Union?
If you are an E.U. citizen, you benefit from the new General Data Protection Regulation (GDPR), which came into force earlier this year. If your data has been stolen and you suffer financial loss or distress because of it, you may have the right to compensation.
The first step towards claiming that compensation is to contact the company outlining your case, including losses suffered, and requesting compensation.
You should also contact your country’s data regulator, which Marriott has helpfully listed on its website. Scroll to the bottom, click the “More information on steps you can take” tab, then click “Additional information for EU data subjects.”
That regulator will be able to advise you whether your claim has merit, and whether they believe your information has been compromised. That advice could be helpful later in court, or as part of a future class action lawsuit.
How about elsewhere?
If you live outside the U.S. or E.U., you should do some research into what rights your jurisdiction gives you over your personal data, and see if your country has a data protection authority you can contact.
Marriott also said it would set up a call center to answer questions in multiple languages. Information on that can be found on its help site.