Marriott announced an enormous breach of the company’s reservations database that may have potentially exposed the personally identifiable information of more than 500 million guests.
If you’ve made reservations at the St. Regis, Westin, Sheraton, W Hotels or anywhere else that operates on Marriott’s Starwood guest reservation database, it’s time to redouble your cybersecurity and privacy efforts, because this compromise is one of biggest we’ve seen—dwarfed only by the Yahoo breach that affected 2 billion users.
"The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it," Marriott disclosed in a statement. The vulnerability that the hackers took advantage of had been in place and used for “unauthorized access,” according to the company statement, since 2014
There is no clarity on credit cards, with the company at this time still unable to determine if the hackers were able to de-encrypt card numbers, but it is known that 327 million guests were exposed. The information compromised includes (but assume is not limited to): name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
This is a tremendous blow to consumers who trusted their information would be safe, and represents a potentially life-changing situation for anyone affected since there is enough information to make virtually any identity theft scam possible.
There are some basics when it comes to protecting yourself when your information is compromised, and they are simple. Follow the three Ms:
1. Minimize your exposure. Don't authenticate yourself to anyone unless you are in control of the interaction (and be paranoid), don't overshare on social media or communicate facts about your life (in other words, the answers to security questions) with social media contacts, on the phone or any other way, use a password manager or at the bare minimum make sure none of your long-and-strong passwords match, safeguard any documents that can be used to hijack your identity, and consider freezing your credit at all three credit reporting agencies.
2. Monitor your accounts. Check your credit report every day, keep track of your credit score, review major accounts daily if possible. There are places to check your credit score for free online, and most credit cards let you see your FICO score. If you prefer a more laid back approach, sign up for free transaction alerts from financial services institutions and credit card companies, or subscribe to a credit and identity monitoring program,
3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises--oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and HR departments.
The way these compromise events unroll publicly can be hard to follow, and there may be further revelations about the Marriott breach, but regardless those details there are actions you can take to protect yourself, and they are no longer optional in the general and pervasive atmosphere of cyber insecurity out there.