Emerging Threats

Massive data breach hits hospitality giant. Up to 500 million guests affected — Here’s what you can do

A large hotel brand announced what could be one of the largest corporate data breaches in history. The company’s guest reservation system was hacked, potentially exposing the personal information of up to 500 million guests.

The exposed personal information includes some combination of name, mailing address, email address, date of birth passport numbers, and other information that could expose individuals to the risk of identity theft.

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.

Am I affected by the data breach?

About two thirds of the company’s customers are potentially affected by this breach. The company began sending emails to customers affected by this breach on a rolling basis on November 30, 2018. The email will not contain attachments or requests for personal information or passwords. Be on the lookout for such an email. Because of the volume of potentially affected customers, it may take a while for all of the emails to be sent.

If I am affected, what should I do?

The company advised its affected customers to monitor their accounts and bank statements for suspicious activity. It also advised consumers to be vigilant against third parties attempting to gather information by deception, or through “phishing attacks”, which could include email links to fake websites.

Here are some steps you can take to help protect yourself if you think this data breach may have exposed your information.

  • Change any passwords that use the same login information as those used in your hotel accounts.
  • Watch for communications from companies that had recent data breaches
  • Monitor news reports about this breach, watching for new developments.

What can cybercriminals do with exposed personal information?

Cybercriminals could commit a variety of crimes using the stolen data. For instance, sensitive information like date of birth, address, or passport numbers can be combined to create fake IDs. The IDs could then be used to commit other crimes. Also, personal information can be sold on the dark web, and identity thieves could wait months, or even years, before using the stolen information.

How can passport information be used to commit crimes?

There are various implications of having a large trove of stolen passport numbers available on the dark web (including national security concerns). For the typical US consumer however, the main impact is that it opens an additional opportunity for identity theft.

The accessed data contains much of the information needed (full name, address, gender, date of birth, passport number) for creating fake passports, using standard templates available on the black market. The process is straightforward and not very expensive.

Fake passports can be used for a variety of fraud and other criminal activities, including opening new bank accounts and credit accounts. Additionally, the Social Security Administration accepts U.S. passports as proof of identification/U.S. citizenship when issuing SSNs (and issuing replacement SSN cards).

The Social Security Administration will accept a passport in lieu of a birth certificate.

How to help protect your identity

With your personal information, an identity thief could open new accounts in your name without your knowledge. Here are options to consider that could help protect your identity:

1. Credit freezes

A credit freeze “freezes” your credit report, making it difficult for potential creditors to access it. Without such access, a creditor cannot open new accounts in your name. To obtain a credit freeze, contact each of the three major credit reporting agencies listed below. There may be fees associated with freezing your credit and removing a freeze.

Equifax: 800-525-6285 or
Experian: 888-397-3742 or
TransUnion: 800-680-7289 or

2. Fraud alerts

If you have a fraud alert on your credit files, when someone applies for credit in your name, creditors are required to take reasonable steps to verify that it’s you — not a criminal — attempting to open a loan or applying for a credit card, for instance.

To place a fraud alert on your credit files, contact one of the three major credit reporting agencies. That credit bureau is required to send your request to the other two credit bureaus.

You must renew fraud alerts every 90 days.

3. Credit monitoring

Credit monitoring services track changes to one or more of your credit reports, including applications for new credit cards or loans. The idea behind credit monitoring is to alert you to activity involving your credit report so that you can determine whether someone is attempting to open accounts in your name.

Some banks and credit card companies offer basic credit monitoring by giving customers access to a regular credit score. Unexpected changes to that score may indicate something amiss, and that someone has fraudulently obtained credit in your name. Other companies, including credit reporting a gencies themselves, provide more extensive credit monitoring for a fee.

4. Identity theft protection

Identity theft protection services typically provide credit monitoring, and sometimes a credit score, at one or more of the three credit reporting agencies. These services may also monitor the use of your personal information in ways that don’t show up on your credit report. Identity theft protection services may also provide restoration services to help victims resolve issues of identity theft.

There isn’t much you can do to prevent a data breach. Once your information is given to a business or an organization, you likely have no control over how it is stored. If it is not secured, cybercriminals may be able to gain access to it.

But there are things you can do to help protect yourself in other ways. It’s a good idea to consider investing in a comprehensive cyber safety product to help protect your devices and personal information. For instance, having a service like Norton with LifeLock can help monitor your personal information and provide you with cyber safety with multiple layers of protection for your devices and identity.

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2023 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.