The Marriott data breach: Take action whether or not you’re affected
Last week, one of the largest hotel chains in the world, Marriott International, Inc., announced that a massive data breach of its Starwood reservation system exposed the personal information of up to 500 million guests. Those who stayed at the chain’s Starwood brand hotels from 2014 through September 10, 2018 are affected. That’s four long years of data theft before the hackers were detected.
This is the fourth massive U.S. data breach since 2013, including Yahoo (3 billion accounts), Equifax (147 million consumers) and Target (40 million customers). The Marriott break-in not only exposed names, addresses, phone numbers, email addresses and credit card information, but rarer data too, including birth dates, gender and passport information from international guests.
While its credit card information was encrypted, Marriott indicated it’s possible that the hackers were able to steal the encryption keys, rendering the credit card data encryption worthless.
What’s Marriott doing for its guests?
Marriott has already set up an information page for the Starwood Guest Reservation Database Security Incident. On the page they briefly explain the breach’s timeline and what data is involved. Marriott stated that among other actions, it’s working to quickly phase out the old Starwood reservation system. Marriott indicated that they started sending notification emails to affected guests last week. It will take a while to notify everyone. If you’re affected, Marriott has established a dedicated call center and they’ve arranged for affected guests to be able to enroll in Kroll’s Web Watcher fraud monitoring. It’s free for one year, but only available to customers in the U.S. Canada and the U.K.
What should Marriott customers affected by the breach do for themselves?
Check that any notification email received from Marriott is legitimate:
With a breach this large there’s little doubt that malicious hackers will try to scam Marriott customers with phishing and other fraudulent schemes to harvest their personal information. Marriott’s email notification won’t contain attachments or requests for any information. Its links will solely bring affected guests to the Starwood Guest Reservation Database Security Incident page.
Sign up for Web Watcher:
There’s no reason not to sign up for the free year of Web Watcher fraud monitoring, if it’s offered in your country of residence. Click on your country on the right side of the “Security Incident” page to get the “Enroll Now” link.
Consider freezing your credit:
You can freeze your credit for free. It will prevent anyone from opening a new account, taking out a loan, or obtaining a new credit card in your name. Freezing your credit won’t damage your credit score. You’ve got to freeze your credit at all three credit bureaus for it to be effective, so contact Experian, Equifax, and TransUnion. If you find you need to take out a loan or get a new credit card yourself, you can lift the freeze for a limited time or for a particular entity.
What should every traveler do whether or not they’re affected by the Marriott breach?
Get a password manager:
A password manager can create, store and automatically fill in your passwords along with other login information. You can store them for accessing websites, online accounts, etc. I personally use LastPass and highly recommend it. For many people, the free version is sufficient.
Change your Marriott password:
If you have both Marriott and Starwood accounts, it’s time to combine them into one account, then change your password.
Set a strong password and make it at least twelve digits long. According to How Secure Is My Password, using an eight digit password with at least one small and one capital letter, a symbol and a number would take a computer just four weeks to crack. If you just add four extra numbers, twelve digits total, it would take about 3 million years to crack that password.
You should use a different password for every website and account. Since you’re hopefully now using a password manager, that’s easy to accomplish, as is changing your passwords regularly.
Edit your Marriott profile:
Put only the required information in your profile. Remove any other information. If your profile is breached, only the information there can be stolen.
Credit and debit cards are optional in Marriott profiles. If you enter a card for your convenience, make it a credit card. They have more consumer protection than debit cards. When you get to your hotel you can pay with almost any card, regardless of your profile.
I pay my bills at Marriott with Apple Pay. Therefore, my credit card information is never stored at Marriott. They only get a transaction ID from Apple. That way, if Marriott is hacked, my credit card information isn’t there to be harvested.
Monitor your Marriott/SPG account and all financial accounts:
You should always monitor all your financial accounts, looking for unauthorized activity and incorrect information.
While extremely easy to use and convenient, online information storage and transactions make our personal and financial information vulnerable to criminal activities. It’s up to each one of us to take prudent measures to protect our identity and finances to the extent possible. The commonsense approach and actions outlined above for your Marriott account should be applied to all your online accounts for your personal and financial protection.
(Image: Berlin Marriott, Copyright © 2017 Pascal Volk)