Defensive steps for Marriott Starwood guests worried their personal
information may have been compromised by the massive data breach
If you are into cybersecurity, or data privacy, or staying at hotels,
you have probably heard that Marriott International – one of the world’s
largest hotel chains – announced a huge data breach today involving
the Starwood reservations database. According to the Washington Post
report on the breach: “the personal information of up to 500 million guests
could have been stolen”. One reason the number is so large is that the Starwood
brand encompasses many different properties,
including Sheraton, Westin, Le Meridien, Aloft, The Luxury
Collection, and W Hotels. Another reason is that, according to company
officials, an unauthorized party had accessed the database since 2014.
The official Starwood website for information about this breach is being
hosted by Kroll, a company with extensive experience in security incident
response: https://answers.kroll.com.
The following are five defensive steps you should take now if you have used any
Starwood or Marriott hotel during the last four years.
1.
Change your password
One of the first – and simplest – things you should do in light of this
breach is to change the password on your Marriott/Starwood Preferred Guest
(SPG) account. Hopefully you have not used the passwords from those accounts on
other accounts, but if you have, it’s important that you also change the
password on those other accounts as well.
2.
Check your accounts for suspicious activity
Be especially vigilant about checking the transactions on payment cards,
and your Marriott and SPG accounts. If you see payment activity that you do not
recognize, it is important that you notify the bank that issued your card
immediately. If you notice unusual or fraudulent activity on your Marriott or
SPG account, you should contact them directly. It’s also a good idea to keep
a closer eye on your other financial accounts (such as retirement or brokerage
accounts), as well as your credit report.
Keep in mind that the thieves may not use or sell all of the stolen data
right away. You will need to be vigilant with your accounts for a while.
3. Consider
a Credit Freeze
While freezing your
credit does introduce an obstacle when it comes to allowing someone
to access your credit report (such as when you apply for a new bank card, loan,
apartment or job), it also makes it more difficult for thieves to create new
accounts using your information. Due to a recent change in laws surrounding
fees for credit freezes and fraud alerts, these may now be placed for free in
the United States.
If you decide against a credit freeze, you may wish to place a fraud alert
on your files instead. A fraud alert warns creditors that you may be a victim
of identity theft and that they should take additional steps to verify that
anyone seeking credit in your name really is you.
4.
Improve your login security
With all the information that is now available to thieves from this and
other recent breaches (particularly the Equifax breach), criminals may try to
combine data to access other online accounts and services. It’s always a good
idea to make sure you have strong, unique passwords for each account you use.
If you’ve not yet enabled two-factor authentication wherever it’s available to you, now is
a great time to make sure you have this in place.
Marriott is one of the first travel loyalty accounts to incorporate
two-factor authentication into their login process. Because they
only recently merged with SPG,
the separation of the two loyalty programs is why warnings focus primarily on
SPG accounts. Hopefully one result of this breach is that it will help speed up
the process of merging the two programs, to improve security going forward.
5. Beware
of scams
Criminals are aware that people will be feeling especially anxious about
their security as a result of this incident. Some people may, ironically, be
more apt to fall for social engineering tactics and phishing schemes that prey
on this fear. Never click on links in emails purporting to come from businesses
using this breach as an angle, especially if they appear suspicious in any way.
It’s a good idea, especially after major security events and other crises, to
consider any link in an unsolicited email to be potentially malicious. Instead,
you should type URLs that you know to be genuine into your browser directly if
you need to contact companies.
What
else can we say?
By most metrics, the Marriott Starwood breach is one of the biggest data
security incidents ever reported. In terms of number of persons affected (500
million) it would appear to rank second only to the Yahoo (3 billion). By
comparison, the 2013 Target incident impacted 70 million people, 40 million of
whom had payment card data stolen.
In terms of data compromised, it sounds like not all of the breached
Starwood records included payment card information, and thankfully none
contained Social Security numbers. On the other hand, some passport details
were revealed, which is unusual, and the persistent presence of attackers in
the system – since 2014 – raises the possibility that travel patterns and other
valuable intelligence about Starwood guests have been gleaned, which would be a
significant difference from breaches in sectors such as retail or banking.
Clearly, this breach has serious negative implications for Marriott and
Starwood, not just because of the scale, but because it seems to have gone
undetected during the $13.6 billion acquisition of Starwood Hotels and Resorts
by Marriott International in 2015. According to fellow ESET researcher Stephen
Cobb, all of the brands involved can now expect to suffer costly reputational
damage, as well a multiple forms of legal jeopardy: “There will be class
actions lawsuits brought by customers and shareholders, as well as potentially
damaging investigations by everyone from state attorneys general in the US to
the EU data protection authorities; bear in mind, this is the largest breach we
have seen since GDPR went into effect.”