If you stayed at a Starwood resort at some point in the last four years, your personal data was probably involved in a massive data breach announced by Marriott International on Friday, November 30. The basic timeline goes something like this: in September of this year, Marriott was alerted to an unauthorized access attempt to the Starwood registration system. After conducting an investigation, Marriott believes that someone had unauthorized access to the Starwood registration system since 2014. That unauthorized party had encrypted and stolen data that was later determined to be from the Starwood registration system.
(A quick note on Starwood: Marriott completed its acquisition of Starwood Hotels and Resorts in September 2016 for a reported $13B USD. This acquisition made Marriott International the largest hotel company in the world.)
I’ve read a number of articles that have been dispensing a bit of advice about what to do as a result of this data breach. I’ve seen pretty run-of-the-mill advice like change your passwords, use a separate credit card for online purchases, check your credit report, etc. Some of this is good advice but many of these tips have very little to do with the data breach itself. The remainder of this post is my stab at a few things that consumers and those impacted can actually do to best respond to this data breach.
Be careful who you trust: in the aftermath of these data breach reports, attackers try to capitalize on the headlines to take advantage of people who are concerned about the incident. This could manifest itself in emails claiming to be from Marriott or websites that that look legitimate but are well-crafted fakes. It’s also possible that there could be robocalls on the horizon, asking people to provide personal details in order to qualify for benefits. There are two websites that you can trust for accurate information about the data breach. They are:
Be conscious of what data you’ve shared with Marriott/Starwood: this is generally good advice but let’s apply it to this situation. When you have a rewards account with a hotel or just an account in general, your profile will include information about you. This speeds up the reservation process and allows for a more personalized experience. Now is probably a good time to ask yourself what data Marriott/Starwood had on you and if it needs to have all of that information about you. Any information that you hand over to an online merchant or service can be stolen. This isn’t FUD, it’s just reality; so be picky about what and how much you choose to share. It won’t undo what’s already been done but it can help limit your exposure in the future. It will also help you understand how you may be personally exposed in this data breach.
Unauthorized credit card charges: if you had a credit card saved in your Starwood profile, it may have been accessed by the attackers. Fortunately, all credit card numbers were encrypted with a key but Marriott seems to not know for sure if the attackers got both the encrypted card number and the decryption key. So if you have an active credit card, keep an eye out for unauthorized purchases. The banks and card brands are pretty good at detecting fraud so if you get a new card in the mail at some point in the next few months, I wouldn’t be surprised.
Change your password: if you have a Marriott or SPG rewards account, I would change the password to this account. I would make it something incredibly long and complex. Finally, I would store it in a password vault like LastPass. Note that Marriott does not currently support multi-factor authentication. Marriott should really add this as an additional security feature for customers.
Don’t panic: after data breaches, some people have a tendency to panic (please, don’t cut up all your credit cards). Sadly, data breaches are a common occurrence in our world. Fortunately, society has found a way to move on after Yahoo, Equifax, and OPM. There are some very smart people working to make this right. Security is hard but even the best teams miss things and the best programs have holes. Attackers found one here and that’s regrettable. But if you like Marriott Hotels, keep on liking them. Chances are its security program is about to get a lot better.
