Affected by the Marriott Hack? Here’s What To Do

Posted by Jamie Mackenzie Smith in Identity Theft on 30 November 2018

If you’re one of the 500 million consumers to have stayed in a Marriott-owned Starwood chain hotel in the past four years, there’s a chance your personal information could have been compromised in what could be the second biggest ever data breach.

Full details are yet to emerge, but W Hotels, Sheraton, Le Méridien and Four Points by Sheraton hotels are likely to have been affected by the breach, going back as far as 2014. Marriott Hotels themselves use a different booking system to the one that hackers gained access to, and so is believed to be unaffected.

Under the GDPR, the Marriott group could face a financial penalty of up to 4% of its annual revenue, which would make it the first business to receive this fine since the legislation came into place. Even though it is based in the US, GDPR is still applicable when interacting with citizens of the EU. Marriott International purchased the Starwood Group of hotels in 2016, but it took until September 2018 for an internal security tool to flag a potential breach and trigger further investigations.

For approximately 327m of those affected, the information that could have been accessed includes some combination of:

  • Name
  • Mailing address
  • Phone number
  • Email address
  • Passport number
  • Starwood Preferred Guest (“SPG”) account information
  • Date of Birth
  • Gender
  • Times checked in and out of the hotels plus reservation date
  • Communication preferences

Although payment card details were encrypted, the investigation cannot yet rule out that the encryption keys (needed to decode the card details) were also accessed.

Much of the data that has been accessed would be highly appealing to fraudsters - which is why one of the remedies that has been put in place is to offer affected customers free access to WebWatcher, a fraud monitoring service.

Regardless of whether you are affected by this breach, one of the most effective ways to spot signs of potential fraudulent activity is to monitor your Credit Report. You’ll be able to see applications for credit in the form of credit searches, linked addresses and accounts that you don’t recognise. If you are unfortunate enough to fall victim, checkmyfile subscribers benefit from Identity Fraud Assistance at no extra cost.

Find out more about checking your Credit Report for Identity Fraud

Unlike having a social media or email account hacked, it’s not as simple as changing your password to prevent fraudsters targeting you. Once sensitive personal data has been compromised, this could be used months or years after the breach, so it’s important to be vigilant.

It’s not uncommon to be a victim of fraud several years after a data breach has happened, with information freely traded and supplemented through the Dark Web.

See our guide about what to do if you become a victim of identity fraud for more information.

What to look out for

If you are concerned about identity theft or falling victim to other types of fraud, there are some early warning signs to watch out for:

New searches

You might not instantly recognise all of the search activity shown on your Credit Report, as detailed below. That’s quite normal and shouldn’t be an immediate cause for concern. There are several different types of searches recorded on Credit Reports, and in the vast majority of cases, these should relate to you personally.

Audit Searches typically relate to you accessing your own Credit Report, aren’t visible to lenders and don’t impact your Credit Rating.

Enquiry Searches do not affect your Credit Score unless they have been carried out by debt collection services. This type of search does not relate to applications for credit and are likely to appear when using a comparison site or applying for insurance. It’s not uncommon for a company name rather than a brand to be listed, and for that to be the name that appears.

Credit Applications – the one to pay most attention to. These relate to applications for credit and you should recognise every single one.

New credit agreements

Finding a credit agreement on your Credit Report that you don’t recognise can understandably come as a shock, least of all because if it’s there as a result of fraud, you’ll find that criminals have very little intention of protecting your credit rating and you can also end up with a heap of negative payment markers.

If you see a credit agreement with a company whose name you don’t recognise, it might be because a company you have taken out finance with uses a separate finance company, but armed with the other information that is shown – including the start date, balance and any credit limit – you should recognise it.

If you’re ever unsure, contact the company and ask them for more information, they should be happy to help out.

New linked addresses

The Linked Addresses section on your Credit Report show any addresses where you have either opened credit accounts, or have changed existing agreements to.

A linked address that you don’t recognise can be a sign that credit has been taken out using your information at another address, or that there has been an attempt to move an existing agreement to a new address. It’s worth keeping an eye on.

Taking extra precautions

If you think you are at a heightened risk of identity fraud as a result of a data breach, you can apply for Protective Registration at a cost of £20 for 2 years to add an extra layer of security. This prevents credit applications from being processed automatically, and whilst it might mean that any application you make yourself takes longer and is subject to extra scrutiny, it will give you additional peace of mind.

Alternatively, you can achieve the same result by adding a Notice of Correction to your Credit Report, explaining that you believe you have been the victim of identity theft. This method costs nothing and requires the same manual checks to be carried out (and the same delays to application processing).

If you are concerned about falling victim to identity fraud, either as a direct result of a data breach or any other means, checking your Credit Report regularly should be near the top of the actions you consider. If you haven’t already, you can try checkmyfile FREE for 30 days, then for just £14.99 a month afterwards which you can cancel online, by email or by phone.

If you have not been affected by the Marriott breach but still feel you may be at a heightened risk of fraud, you can use our Identity Fraud Risk Estimator to see whether you are likely to fall victim.

How To Check if Someone Is Using Your Identity For Fraud

Scams and fraudsters may have evolved to become more sophisticated over time, but when it comes to fighting back, one piece of advice has stayed true: If you’re concerned that you might have fallen victim to identity fraud or want to better protect yourself against it, your Credit Report is one of the best places to turn.

Published on 3 Apr 2019 by Paul Anderson-Riley

Full Article

Tesco Online Grocery List Disappears

After well over 10 years of using Tesco’s online grocery service, all of sudden, all of my Tesco order history has disappeared, alongside all the information stored in My Favourites – purchases made in-store and online over the past 13 months, My Usuals, and My Shopping Lists.

Published on 9 Oct 2018 by Barry Stamp

Full Article

Are linked addresses on your credit file a bad thing

Your Credit Report can surprise you: it can include reference to an address you have long-forgotten about or sometimes even an address you have never heard of, which is one of the reasons it’s important to check in every now and then.

Published on 30 Jul 2018 by Ian Carpenter

Full Article

Loan Fee Fraud: The £3.5 Million a Year Scam

For people facing financial hardship, sometimes taking out a loan to tide things over can seem like the most viable solution. But if you’re out of work or have a lower-than-average credit rating, it can be harder to get credit from mainstream lenders and mean that more expensive forms of finance in the sub-prime market are the only viable option. It often feels like a hopeless situation.

Published on 8 Jun 2018 by Jamie Mackenzie Smith

Full Article

Protecting yourself against identity theft online

Modern day fraudsters are now able to use the internet as a helpful tool to acquire a vast amount of information about an individual just from using their name. From this, they start to build a portfolio of data that they can then use to obtain credit, bank accounts and sign up for other services. By following a few simple steps you can help to reduce the risk of being exposed to a fraudster online.

Published on 22 May 2018 by Paul Anderson Riley

Full Article

Personal Data in the Wake of Facebook/Cambridge Analytica

Strange as it might sound to some, huge numbers of people routinely complete online surveys through Facebook to find out which football player they are most like, which Hogwarts house they should be in or how much money they will be earning in 2050. The truth is, every time you volunteer seemingly innocuous information or consent to share profile information with an app, your data is probably going somewhere to be used for another purpose.

Published on 17 Apr 2018 by Paul Anderson-Riley

Full Article

Identity Fraud: What To Do If It Happens To You

Year on year, there has been a substantial rise in the number of identity fraud cases being reported to organisations such as Cifas, the UK’s fraud prevention service. It’s no real surprise when you consider the crime can be committed from the comfort of someone’s home without ever having to risk showing their face.

Published on 6 Feb 2018 by George Coburn

Full Article

What's a Politically Exposed Person (PEP) & Why is it on my Report?

PEP stands for Politically Exposed Person, which would typically relate to an individual who has a prominent public title or function. If you receive this classification, often you will have to undergo additional security checks when applying for finance. Your credit file will tell you if you have been identified as a PEP, however for most people it isn’t something they’ll need to worry about.

Published on 8 Jan 2018 by Paul Anderson-Riley

Full Article

Brits continuing to fall for HMRC and Apple gift card scam

At the face of it, it seems a bit odd that the company responsible for collecting taxes would request payment from individuals in the form of an Apple iTunes gift card, but according to Action Fraud, this scam has continued to be profitable for fraudsters. The scheme first came to light in May last year and Action Fraud have received hundreds of complaints since then.

Published on 30 Jan 2017 by George Coburn

Full Article

Yahoo’ve been hacked – Yahoo in largest ever reported data breach

In the last two years, we have already been alerted to data breaches at Three Mobile, Tesco Bank, TalkTalk, Morrison’s, Steam and Sage, amongst others. The scale of these hacker attacks have varied. But none have come close to the newest report.

Published on 16 Dec 2016 by Ben Tumilty

Full Article


We are rated number 1 for customer service on