The state launched an investigation into the massive Marriott security breach and is likely to team up with other states in an effort to get to the bottom of the incident, officials said Friday.
Stephen Levins, executive director of the state Office of Consumer Protection, said Marriott International faces state fines from $500 to $10,000 per violation if it is found to have used unfair or deceptive trade practices or was negligent in its security protocols.
Marriott, owner of Starwood Hotels and Resorts, on Friday announced the data breach from Starwood Hotels’ guest reservation system. The breach exposed passport numbers, mailing addresses, phone numbers, birth dates and Starwood Preferred Guest account information going back to 2014. Marriott also warned that credit card and payment card numbers may have been stolen.
“It’s troubling there were not adequate safeguards in place to prevent this from happening,” Levins said in an interview.
The state has dinged other companies for security breaches in the past, including last year when Target stores was fined $188,000.
State law requires any business or agency with a security breach affecting 1,000 residents or more to notify the Office of Consumer Protection.
“This obviously is going to impact more than a thousand people here in Hawaii,” Levins said.
The affected hotel brands operated by Starwood before it was acquired by Marriott in 2016 include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties are also included.
Starwood-managed hotels and resorts in Hawaii include the Sheraton Waikiki, Royal Hawaiian, Moana Surfrider, Sheraton Princess Kaiulani, Sheraton Kona Resort & Spa at Keauhou Bay, Sheraton Kauai Resort, Westin Princeville Ocean Resort Villas, Westin Maui Resort & Spa, Sheraton Maui Resort & Spa, Westin Kaanapali Ocean Resort Villas and Westin Nanea Ocean Villas.
None of the Marriott-branded chains were threatened.
Levins urged residents who stayed at any Starwood resort going back to 2014 to check their credit card statements for unauthorized charges.
Additionally, he said, watch out for malicious phishing emails from those posing as Marriott aimed at tricking guests into giving up personal information, he said. Marriott has said it will be contacting customers from the following email address: starwoodhotels@email-marriott.com.
The Office of Consumer Protection also recommends:
>> Checking credit reports from Equifax, Experian and TransUnion and looking for any unauthorized entries or accounts. Consumers can request a free credit report from each of the credit reporting agencies at www.annualcreditreport.com.
>> Placing a free credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that any credit request should be verified with you.
>> Changing your login information on accounts with Marriott/Starwood. If the same username and password is used on other sites, change those, too.
>> Placing alerts on financial accounts so your financial institution alerts you when money above a designated amount is withdrawn.
