Marriott Data Breach
Sometimes protection of your personal data is out of your hands, but there are things you can do.
On November 30th, Marriott International announced they had discovered a breach in their Starwood Reservations system, exposing the personal data of nearly 500 million of its guests. This is the second largest corporate data breach in history, after a similar event at Yahoo in 2016 exposed some personal information of 3 billion customer accounts.
Hotel brands affected
At this time, Marriott does not believe the Marriott reservation system was compromised as this resides on a separate network. The hotel brands that fall under the Starwood reservation systems are:
- Four Points by Sheraton
- Le Meridian
- W Hotels
- St. Regis
- Design Hotels
- Tribute Portfolio
For the majority of these guests, the personal data exposed includes names, phone numbers, email addresses, passport numbers, and birth dates. For millions of guests, the exposure includes credit card numbers and expiry dates. All of this information can be used to steal a person’s identity and open financial accounts in their name. A very troubling possibility indeed. Marriott has said it will begin notifying customers who were affected via email, immediately.
Have you been affected?
What can you do to mitigate this situation?
Develop Good Password Habits
If you are someone who uses two or three passwords across all their digital transactions, you’re not alone, but this is definitely not a good practice. Take this opportunity to change your passwords for your banking, your utilities and any common shopping sites you use. Each service should have its own unique password and those passwords should be difficult to guess. Try combinations of three or four unrelated words and include special characters such as punctuation and some numbers. Change these passwords regularly. If a service offers a two-factor authentication process (for example, using your phone number as a second factor), take advantage of this additional security layer.
Watch for Suspicious Activity
Marriott is advising that if you have a Starwood Preferred Guest account, monitor this for suspicious activity. Additionally, be vigilant of transactions across bank accounts, credit cards, brokerage accounts or government portals which could affect where cheques are directed. Some identity security experts recommend signing up for credit monitoring services or identity theft insurance. Providers of both of these services charge a fee and you should compare the limits of the services before you decide to engage them. Not all monitoring services are the same and insurance policies in this regard will vary in terms of their coverage and your liability.
Don’t Provide Personal Data If You Don’t Have To
When asked online for personal information, try to ascertain if this is in fact a requirement of the transaction. If you’re being asked for your passport number, will a driver’s licence number suffice? If you’re reserving a rental car, is it necessary they have the driver’s license information in advance or could it be provided in person at the time of pick-up? Never divulge your Social Insurance Number if asked and experts say this should never be used as a piece of identification. Many websites offer to “store” your credit card information for the sake of convenience but as soon as you do, you risk that this information can be hacked and exposed, so weigh the convenience against the risk. Using services like Apple Pay, Pay Pal or Google Pay can help limit exposure of your credit card information to one or two entities, but still allow you to pay for goods and services across the internet.
If you have concerns regarding your personal data that may have been exposed in this Starwoods Reservation breach, you can contact Marriott through Resolver and use our free service to guide your inquiry to the correct individuals. When you use Resolver for the first time, you will be prompted to set up an account which allows you to view all communication with Marriott, or whoever you choose, within a secure website.
Lastly, as of November 1st 2018, the Office of the Privacy Commissioner of Canada requires companies to report any breach of private information, where it creates a real risk of significant harm. The rules have very clear communication guidelines for affected customers.