Skip to main content
Iowa Attorney General
Main Content

Latest Consumer Alert

Nov. 30, 2018

How you could be affected by the Marriott Starwood data breach

Attorney General advises five steps to prevent identity theft


As many as 500 million people could be affected by a data breach at Marriott's Starwood properties that could have lasted four years.

Marriott International released this statement on Friday. "On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."

For some of the Starwood guests, the information affected includes some combination of name, mailing address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates.

If you have any questions or concerns regarding this incident, please call Marriott's toll-free U.S. helpline at 877-273-9481. Find more information at Marriott's statement.

Anyone who encounters a security breach that affects at least 500 Iowa residents must provide written notice to the Attorney General’s Consumer Protection Division Director within five business days after notifying affected people. Here is a list of recent data breaches affecting Iowans.

The Attorney General’s office recommends five important steps to avoid becoming a victim of identity theft: 

1.  Place a "security freeze" on each of your credit reports (Equifax, Experian, and TransUnion) to stop fraudulent accounts from being opened by the identity thief.  A security freeze prevents potential creditors and other third parties from accessing credit reports without your approval. Most businesses will not open credit card or loan accounts without checking your credit history.  You must contact each of the credit reporting agencies individually online or by postal mail.  There is NO COST to place or lift a security freeze.  For more information, see our Guide to Security Freezes. 

You may be offered complimentary (free) credit monitoring.  Credit monitoring should not be used in lieu of a security freeze on your credit reports.  Credit monitoring is reactive because it leaves your credit report open and alerts you after your identity has been stolen.  Placing a security freeze is preventative because it locks your credit report and requires a PIN number release from you for access.  Generally, only the first twelve (12) months of credit monitoring are free and beyond that you have to pay monthly for this service. 

2.    Place a temporary (90-day) "fraud alert" on each of your credit reports by calling any one of the credit agencies listed below.  The credit agency you call will forward your request to the other two credit agencies.  To request a permanent (7-year) alert, you must be a victim of  the criminal identity theft (beyond having your information exposed in a security breach) and report the crime to your local law enforcement agency. There is no cost for this service.  To add a temporary fraud alert, contact any one of the following credit reporting agencies at:

            Equifax, P.O. Box 740256, Atlanta, GA 30374; 800-465-7166;

            Experian, P.O. Box 9530, Allen, TX 75013; 888-397-3742;

            Trans Union, P.O. Box 2000, Chester, PA 19022; 800-680-7289;

3.  Order a FREE copy of your credit reports from each credit reporting agency.  You are entitled to one free copy from each credit agency every twelve months. Monitoring your credit card statements and your credit reports are the most important steps you can take to safeguard your credit identity because you can catch errors and detect identity theft early. Equifax, Experian and TransUnion are private industry competitors who collect data independently.  Thus, all three credit reports must be reviewed to ensure the accuracy and safety of your credit information. Your free credit report does not contain your credit score because it is the work product and property of the credit agencies.  The Federal Trade Commission required the three credit reporting agencies to create a joint clearinghouse for consumer requests, so ordering your credit report is easy:  Just call, write or go online to:

            Annual Credit Report

            P.O. Box 105281

            Atlanta, GA 30348-5281

            Phone: 877-322-8228 toll-free


4.  Review your monthly billing statements, annual credit reports, and insurance explanation of benefit (EOB) statements  carefully. Look for unfamiliar charges, credit card accounts or other suspicious activity, such as incorrect addresses or indications of delinquent payments.  If you find unauthorized charges or accounts, contact my Consumer Protection Division.

5.  5.  Be wary of telemarketers who may use the information they fraudulently obtained about you to further defraud consumers.


For past consumer alerts, click here.

© 2019 State of Iowa Office of the Attorney General. All rights reserved.