The Marriott Data Breach: What You Need to Know

Nearly three months after detecting a mammoth data breach, Marriott finally came clean last week. Marriot has admitted that hackers have had access to a system containing the personal information of up to 500 million guests since 2014. That makes it the second largest data breach in history after Yahoo’s 2013 and 2014 breaches.

Marriot Data Breach

The scope of this breach is almost mindboggling. If you have stayed at any of Marriott’s Starwood properties during the past four years—St. Regis, Westin, Sheraton or W Hotels—your name, phone number, email address, mailing address, passport number, date of birth, gender, and travel details may be among the hacked. While Marriott discovered the data breach on September 8th, it was not able to decrypt what was stolen until November 19th. Since that time, it has notified the public about the breach and taken steps to remediate it. Marriott has informed authorities, bolstered encryption, created a call center to answer questions about the incident, and offered free WebWatcher Internet monitoring software to customers.

What to do now

Marriott has done all it can to help customers deal with the situation, but it’s not nearly enough. Unfortunately, the rest of the work is the responsibility of the customer. If you have stayed at any Starwood property in the past several years—or even think you may have—take these steps seriously.

Change your password

Not only should you change your password, but you should never use the affected password again. Make sure you create a strong and unique password, avoiding common words and phrases and incorporating upper and lower case letters, numbers and characters. If you are using CyberFOX, be sure to click on the Generate Password option in to create a strong and unique password.

Enable two-factor authentication on your accounts

Two-factor authentication requires users to verify their identity in two ways—via password and a code only that user has access to. Often, the code will be generated by the site and sent to the user via text message or email after a user inputs a password. Only users who satisfy both requirements will be admitted to the site.

Monitor your accounts for suspicious activity

This includes monitoring everything from credit card activity and bank statements to suspicious emails for password resets. This includes unusual financial activity, unfamiliar changes to settings, and unusual activity notifications. There are several ways to do this, including opting in to receive security and fraud alerts from your trusted vendors, signing up for credit monitoring and ID protection services, and even freezing your credit, which prevents anybody from accessing your credit reports without your permission. If you think  you may have been breached, it’s also a good idea to visit the government’s IdentityTheft.gov website.

Don’t save credit cards in websites

Breaches are far too common; anything you save on a website could be stolen at some point. Despite the common prompts asking you to save your credit card information at a site, don’t do it. That information is gold to hackers. Instead, use a service like CyberFOX to securely store all of your personal details and credit card information.

Be vigilant

While automated methods of monitoring accounts is critical, they can’t catch everything. That’s why it’s so important to keep your eyes open, scanning everything with a critical eye. One of the most important steps you can take is performing a Dark Web scan of all of your passwords and email addresses each month. Unlike the public web (where you can shop online, use social media, etc.) and the deep web (internal company sites, member-only websites, pages behind paywalls, online databases, etc.), the Dark Web is a hidden part of the Internet invisible to search engines. While it only represents about three percent of the Internet, the Dark Web is a dangerous place where your information may live and grow if it has ever been hacked. It’s also a place where criminals buy credit card numbers, userids and passwords, hacked accounts, software to help hack into accounts, and the services of hackers. If you discover any illicit activity related to your accounts during the Dark Web scan, immediately change any passwords that have been compromised.

It’s also good practice to provide as little information as possible, both online and in person. For example, many doctors’ offices still request your Social Security Number. It’s fine to decline that information. They don’t really need it; all they need is your insurance information.

The next big data breach is probably just around the corner. It’s not a matter of if your information will fall into the wrong hands, it’s just a matter of when. Take steps now to start increasing your security and lowering your risk.

There is going to be another breach, take steps now to start increasing your security and lowering your risks

Get the latest insights delivered to your inbox

Subscribe to identity and access management news and resources from industry experts.