Marriott shared today the awareness of a data breach that has impacted the Starwood network since 2014. This one is different, because hackers appear to have gained access to information more personal than credit cards. Details are still emerging, but based on the information released today, Weaver can suggest a few things you can do to protect yourself and your business.
What do we know?
According to Marriott’s website, on November 19, 2018, an internal investigation concluded that there had been unauthorized access to the Starwood network since 2014, in which the unauthorized party had copied and encrypted information, then took steps towards removing it. Also on November 19th, Marriott was able to decrypt the information and determined that it came from the Starwood guest reservation database. The hotel chain believes information from as many as 500 million guests who made a reservation at a Starwood property before September 10, 2018, was compromised. (For comparison, note that the United States population is currently about 329 million people, according to the U.S. Census Bureau.)
For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation dates and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates; however, the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). Two components are needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining 173 million guests, the breached information was limited to name and sometimes data such as mailing address, email address or other information.
Why is this data breach different?
Until this breach occurred, you may not have thought about how much information a hotel chain collects about you. More than any other industry — other than financial institutions —the travel industry collects a large amount of personal data from customers. Hotels, airlines and travel agents collect sensitive information such as driver’s license and passport numbers, addresses, emergency contact information, credit card numbers, and other private data. Worse, they often connect with other travel companies and reservation systems where additional information about you and your travel profile that may be shared between organizations. The information provided makes it different, and more concerning, then a typical retail breach.
What are the things you need to be doing now?
Change Your Password
Although Marriott has not stated that passwords were compromised, given the extent of this breach, we would not be surprised to find that they were. Therefore, Weaver recommends that you take steps to change the password to your Starwood and Marriott accounts, or both if they have not yet been combined. If you used the same password on other sites — as too many people do — change those, too, and stop re-using passwords. The advice for creating strong passwords still applies: make them long and complex and use special characters. For more information about password advice, read our article “How Cyber Are You? And How Vulnerable?”
Change Your Password (Part 2)
We expect that the compromised information may be used towards other travel sites, not because of their lack of security, but because customers often reuse passwords for various travel sites. Take the time to identify the passwords that you use that are similar to or the same as your Marriott account, then change them all. Avoid using the same password across accounts. In addition, consider using a reliable, secure password manager that requires two-factor authentication.
Based on the information provided by Marriott, valuable information was exposed that may make you susceptible to targeted phishing attempts. Using specific information about yourself, including name, email, address, and other details exposed, you may be subjected to more sophisticated phishing attempts. If you receive an e-mail asking for sensitive information, be suspicious. Hover over the hyperlinks in the e-mail – where would those links take you? Were you expecting to receive an attachment from this sender? Does a quick search of the company’s name or organization’s domain raise any red flags? If something doesn’t pass the smell test, report or delete the message. (See “How Cyber Are You? And How Vulnerable?”)
As always, monitor your credit cards and financial accounts for inappropriate or unauthorized transactions and report these to your bank immediately. If you have credit cards that you primarily use for travel (or that were saved to the Starwood profile), consider proactively requesting a new credit card number.
For SPG and Marriott Rewards members, consider validating transactions and holding onto the communications regarding rewards points you have earned. For elite status members, the points equate to free nights and have value to you personally. There has been no indication that rewards will be affected, but if the hacker(s) have your account information, they may very well have access to your points. Take precautions to protect this hard-earned asset.
Upcoming Travel Plans
Marriott has mentioned that arrival and departure information was exposed. This information is valuable to criminals, as they will know when you are away from home. For the same reason you should avoid sharing your travel plans through social networks, this information can expose your travel routines and reveal when you may be letting your guard down at home or online, making you more vulnerable. Stay vigilant regarding any travel plans that have already been booked through Starwood/Marriott.
What Marriott is doing to help their customers?
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Guests from the United States who complete the WebWatcher enrollment process will also be provided fraud consultation services and reimbursement coverage for free.
Read more from our "Lessons from the Breach" series: