The company has created a website to deal with the breach at info.starwoodhotels.com (note that at the time of writing it redirects to answers.kroll.com).

Who’s affected?

The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk:

If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.

According to Marriott, its Starwood brands include: Starwood branded timeshare properties, W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

What data is at risk?

It seems that different guests may be subject to different levels of exposure, according to how much data they shared. Until you have successfully confirmed your level of exposure with Marriott, you should assume the worst.

Information put at risk by the breach includes “some combination of” name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, payment card numbers and payment card expiration dates.

Although payment card numbers were encrypted, thieves may have stolen the information required to decrypt them.

What happened?

Marriott has not revealed what events or security failures occurred (it may not yet know), but it has released some details about how it discovered the breach.

The company says that on 8 September 2018 it was alerted to an unauthorised attempt to access the Starwood guest reservation database. Security experts called in to deal with the incident revealed that unauthorised access to the Starwood network started as far back as 2014, two years prior to Marriott’s acquisition of Starwood.

On 19 November 2018, Marriott learned that a recent attempt to encrypt and exfiltrate data from the network had included data from the Starwood guest reservation database.

As you can see from what Marriott has revealed so far, it can be difficult for everyone concerned to tell the difference between data that has been put at risk and data that has actually been stolen.

Until they can confirm otherwise, victims would be prudent to assume they amount to the same thing.