If you are into cybersecurity, or data privacy, or staying at hotels, you have probably heard that Marriott International - one of the world's largest hotel chains - announced a huge data breach today involving the Starwood reservations database. According to the Washington Post report on the breach: "the personal information of up to 500 million guests could have been stolen". One reason the number is so large is that the Starwood brand encompasses many different properties, including Sheraton, Westin, Le Meridien, Aloft, The Luxury Collection, and W Hotels. Another reason is that, according to company officials, an unauthorized party had accessed the database since 2014.
The official Starwood website for information about this breach is being hosted by Kroll, a company with extensive experience in security incident response: https://answers.kroll.com. Here is how the compromised information is being described so far:
A. For 327 million guests, some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
B. For a subset of those 327 million: payment card numbers and payment card expiration dates (card numbers were encrypted using AES-128, which is quite strong, but Marriott has not yet ruled out the possibility that the criminals got what they needed to decrypt the card numbers).
C. For the remaining guests, exposure limited to name and sometimes other data such as mailing address, email address, or other information.
With all of that in mind, here are five defensive steps you should take now if you have used any Starwood/Marriott property during the last four years.
1. Change your password
One of the first – and simplest – things you should do in light of this breach is to change the password on your Marriott/SPG accounts (which are in the process of being combined). Hopefully you have not used the passwords from those accounts on other accounts, but if you have, it’s important that you also change the password on those other accounts as well.
2. Check your accounts for suspicious activity
Be especially vigilant about checking the transactions on payment cards, and your Marriott and SPG accounts. If you see payment activity that you do not recognize, it is important that you notify the bank that issued your card immediately. If you notice unusual or fraudulent activity on your Marriott or SPG account, you should contact them directly. It’s also a good idea to keep a closer eye on your other financial accounts (such as retirement or brokerage accounts), as well as your credit report.
Keep in mind that the thieves may not use or sell all of the stolen data right away. You will need to be vigilant with your accounts for a while.
3. Consider a Credit Freeze
While freezing your credit does introduce an obstacle when it comes to allowing someone to access your credit report (such as when you apply for a new bank card, loan, apartment or job), it also makes it more difficult for thieves to create new accounts using your information. Due to a recent change in laws surrounding fees for credit freezes and fraud alerts, these may now be placed for free in the United States.
If you decide against a credit freeze, you may wish to place a fraud alert on your files instead. A fraud alert warns creditors that you may be a victim of identity theft and that they should take additional steps to verify that anyone seeking credit in your name really is you.
4. Improve your login security
With all the information that is now available to thieves from this and other recent breaches (particularly the Equifax breach), criminals may try to combine data to access other online accounts and services. It’s always a good idea to make sure you have strong, unique passwords for each account you use. If you’ve not yet enabled two-factor authentication wherever it’s available to you, now is a great time to make sure you have this in place.
Marriott is one of the first travel loyalty accounts to incorporate two-factor authentication into their login process. Because they only recently merged with SPG, the separation of the two loyalty programs is why warnings focus primarily on SPG accounts. Hopefully one result of this breach is that it will help speed up the process of merging the two programs, to improve security going forward.
5. Beware of scams
Criminals are aware that people will be feeling especially anxious about their security as a result of this incident. Some people may, ironically, be more apt to fall for social engineering tactics and phishing schemes that prey on this fear. Never click on links in emails purporting to come from businesses using this breach as an angle, especially if they appear suspicious in any way. It’s a good idea, especially after major security events and other crises, to consider any link in an unsolicited email to be potentially malicious. Instead, you should type URLs that you know to be genuine into your browser directly if you need to contact companies.
What else can we say?
By most metrics, the Marriott Starwood breach is one of the biggest data security incidents ever reported. In terms of number of persons affected (500 million) it would appear to rank second only to the Yahoo (3 billion). By comparison, the 2013 Target incident impacted 70 million people, 40 million of whom had payment card data stolen.
In terms of data compromised, it sounds like not all of the breached Starwood records included payment card information, and thankfully none contained Social Security numbers. On the other hand, some passport details were revealed, which is unusual, and the persistent presence of attackers in the system - since 2014 - raises the possibility that travel patterns and other valuable intelligence about Starwood guests have been gleaned, which would be a significant difference from breaches in sectors such as retail or banking.
Clearly, this breach has serious negative implications for Marriott and Starwood, not just because of the scale, but because it seems to have gone undetected during the $13.6 billion acquisition of Starwood Hotels and Resorts by Marriott International in 2015. According to fellow ESET researcher Stephen Cobb, all of the brands involved can now expect to suffer costly reputational damage, as well a multiple forms of legal jeopardy: "There will be class actions lawsuits brought by customers and shareholders, as well as potentially damaging investigations by everyone from state attorneys general in the US to the EU data protection authorities; bear in mind, this is the largest breach we have seen since GDPR went into effect."