Marriott International is dealing with the fallout after revealing a massive data breach affecting hundreds of millions of customers who stayed at Starwood-branded properties between 2014 and September 10, 2018.
The scope of the hack is one of the largest in industry history. The security incident involved the Starwood guest reservation database, affecting over 500 million guests with reservations at Starwood properties. The affected brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels.
Marriott – which bought Starwood hotels in 2016 – said the unauthorized access has been going on since 2014, and that the breach affects customers who made bookings on or before Sept. 10, 2018.
For most of the affected customers the information hacked includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For others, the information also includes payment card numbers and payment card expiration dates. While this information was encrypted, it’s possible that the hackers also took the information necessary to decrypt them.
Marriott is in the process of sending emails on a rolling basis, to affected guests whose email addresses are in the Starwood guest reservation database. The company has also established a dedicated website (info.starwoodhotels.com) and call center to answer questions about the incident. The call center is open seven days a week and is available in multiple languages.
Marriott said it is also providing guests with the opportunity to enroll in WebWatcher, free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.
Marriott announced Tuesday it will pay for new passports for travelers who have experienced fraud as a result of their passports being involved in this incident. The company is setting up a process to determine if fraud has taken place as a result of the breach, and upon verification will reimburse those guests for the costs associated with getting a new passport.
The expenditures for Marriott will continue, as it will likely have to “invest very heavily in improved detection and response-based technologies, such as deception-based solutions, endpoint detection and response, software-defined segmentation, and behavior analytics,” predicts Nick Wyatt, head of tourism at GlobalData, a leading data and analytics company, to prevent such an event from happening again.
Marriott’s Woes Continue
The trouble for Marriott doesn’t end there. Some of the activity appeared to happen after Europe put into place General Data Protection Regulation (GDPR,) in May 2018, which boosted fines for violations of some types of data security.
In addition, a class-action lawsuit has been filed against Marriott. Murphy, Falcon & Murphy, with their co-counsel Morgan & Morgan, allege that the hotel chain “failed to ensure the integrity of its servers and to properly safeguard consumers’ highly sensitive and confidential information.” The suit does not disclose how much they are seeking in damages.
Bernstein Liebhard, LLP filed a securities class action lawsuit on Monday, and seeks to recover Marriott shareholders’ investment losses.
On Friday, the New York attorney general’s office said it would open an investigation into the breach.
What to do if you suspect fraud
If you suspect you might be a victim of a data breach and fraud, here are some steps you can take:
1. Check your accounts for fraudulent activity. It seems obvious, but must people don’t thoroughly check their credit card bill.
2. Enroll in identity theft monitoring software to ensure your personal data is not being used. Marriott is offering guests a free year with WebWatcher, which alerts customers if their personal information is shared on internet sites.
3. To protect against someone opening new credit accounts in your name, issue a security freeze (also known as the credit freeze), to prevent new credit from being issued without your direct permission.
4. With passport numbers part of the personal information that was stolen by hackers, it may be a good idea to apply for a new one. With your passport number, name, and date of birth, anyone can apply for a new passport by reporting the existing one stolen and use it as a proof of identity to open a new bank account or access an existing one.
5. Keep in mind that once you report your passport as potentially compromised, it will immediately become invalid and cannot be used for international travel.
6. Regularly order free copies of your credit file from a service like annualcreditreport.com to make sure that no one is impacting your credit.