November 30th, 2018
What's the issue?
Another major data breach that exposed a half billion customer's personal and financial information has been announced today by Marriott International. The hotel chain announced that they have discovered a data breach of their Starwood guest reservation system. Evidence of the breach shows it has been present since 2014, and as recent as September 10th, 2018. The breach affects its Starwood brand of hotels that they acquired in 2016, which includes W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
On September 8th, 2018 Marriott received an internal security alert that an attempt to access the Starwood guest reservation database was made, which triggered an investigation. The investigation disclosed that "unauthorized access" by hackers was made to the Starwood reservation system where they "had copied and encrypted information, and took steps toward removing it." For 327 million guests, the information that was stolen includes name, phone number, email address, passport number, date of birth, and arrival and departure information. For others, encrypted credit card numbers and card expiration date have also been stolen, but Marriott cannot confirm if the hackers were able to decrypt the information or not.
Marriott has reported this incident to law enforcement and has begun to notify regulatory authorities. Marriott has stated that they are "devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to [their] network."
What should I do?
Marriott is sending out email notifications for those affected by the data breach. 500 million emails will, however, take some time to deliver. Marriott has also established a dedicated call centre to answer questions about the breach. The dedicated call centre numbers provided by Marriott are Canada 877-273-9481, USA 877-273-9481. Other international numbers are available on Marriott's site. Marriott is also providing affected guests in Canada, US, and the UK the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher is a cybersecurity company that monitors for signs of personal information being traded or sold online. This is the most immediate remedial action, and we would expect Marriott will be providing full credit protection and other services, depending on the geography of the affected individual and the associated regulatory requirements.
But for anyone who stayed at any of Starwood hotels listed above the following steps should be taken:
- Change your password on any accounts or points programs you have with these hotels, and if you have used the same password anywhere else, change it too.
- Monitor your bank accounts and credit card statements for any suspicious transactions and activities.
- Change your online passwords regularly, make them long, and do not use the same password on different sites.
- Consider engaging credit monitoring, or, where possible, place a credit freeze on your credit file with a credit monitoring agency.
- Beware of "phishing" attacks that may use data stolen from the breach. It may be received in an email with convincing information designed to get you to click on infected links or attachments or provide more information. These attacks may also appear to come from Marriott. Marriott advises their emails about the attack going to affected individuals will only come from "email@example.com", and will not have any links or attachments, and will not request any information.
- Acquire a separate credit card with a nominal credit limit for online transactions and ensure the card issuer provides or you have insurance fraud on that card. A separate card for online transactions also makes it easier to spot fraudulent activity.
- Limit the amount of information you share on a need-to-know basis. As an example, if a hotel is asking for your passport number, ask why and if they don't have a good reason, don't give it.
For more information on this matter, go to Starwood Guest Reservation Database Security Incident.
NPC will continue to monitor this incident and will provide information for significant new developments as it may affect you.
Ars Technica - Marriott breach leaves 500 million exposed with passport, card numbers stolen
Starwood Guest Reservation Database Security Incident
The Washington Post - What you should do after the Marriott data breach