"Marriott values our guests and understands the importance of protecting your personal information," is the first line of the long notification email sent over the weekend to hundreds of millions of Starwood hotel guests whose sensitive personal details were hacked.

That may be, but China allegedly valued the guests' information to the point that they got around whatever protections were in place for it. They did it very discreetly too.

The hacking started in 2014 and wasn't verified until recently after a month's work to decrypt the information found on systems connected to Starwood's compromised network.


Some 327 million guests had lots of personally identifiable information including passport numbers and maybe credit card details (Marriott isn't sure about that yet) copied over.

Names, emails and "other information" for another 173 million guests was also hacked, adding to an ocean of data that should've been kept safe but which leaked out.

United States infosec spooks went public and said the hack had similarities to the attacks on the Office of Personnel Management and insurance companies. These had been traced back to China.

The educated guess is that Chinese intelligence will use the information taken to identify and locate US military personnel and build profiles on them. Ditto to surveil Chinese nationals travelling overseas.

Personal information of many other nationalities was taken too, including New Zealanders. Marriott has sent out the email to Kiwi guests as well, promising free identity monitoring which, if it was the Chinese intelligence service who were behind the hack, won't be very useful unless the stolen info is detected in fraudulent use.

If you're a high-value target in NZ though and stayed at a Starwood hotel, future China travel might just be a little more nervous than in the past.

For Kiwis, the email's a bit of a joke. It refers people to US, European Union and Canadian privacy law and authorities but mentions no such things for New Zealanders.

No compensation is offered beyond the identity monitoring, which is just wrong. At the very least Marriott should offer to pay for new passports and other identity credentials for guests who had those details taken.

Having to wait for something bad to happen and then claim compo means the stolen data retains its value until it's used, and sits there like a ticking time bomb for people. Stolen personal information is used in increasingly creative fraud attempts.

From credentials stuffing to breaking into accounts, to impersonation, spamming, phishing, really ugly extortion — the list gets longer every month.

So many services and accounts have been compromised that I think it's time for Troy Hunt's excellent ("owned" or hacked) site to be renamed to

Troy's site lists almost 5.7 billion hacked accounts currently and that number continues to go up. Go and have a look if your account's listed in there.
Long story short, you will be hacked if you're not already.

Do we accept the fact and try to live with it, declare all-out war on hackers, or devise systems for user verification and access to information we wish to share without actually handing over any sensitive data?

My bet is that it'll be all three. Now if you'll excuse me I need to set up identity monitoring before something bad happens.