December 4th, 2018
Marriott is not providing credit monitoring protection for their customers affected by the breach of some 500 million records, as is usually the case for large-scale breaches. Up to this point they have instead engaged Kroll, a security firm, who are offering at no charge to affected individuals in Canada, the U.S. and the UK Kroll's identity monitoring service called WebWatcher. Identity monitoring is different than credit monitoring. Rather than monitoring credit inquiries that show up on your credit file at the credit agencies like Equifax, Experian and Transunion, WebWatcher monitors the Internet for any of your information that was stolen in the breach, ostensibly to catch when it surfaces on the web or dark web.
This is a concern for at least two reasons. First, it requires the individual applying for the monitoring service to provide to Kroll (and in part to CSIdentity Corporation, an Experian company, that is a third-party data and service provider) the personal and financial information that was lost in the breach. This new database of that personal information becomes yet another target for cyberthieves, and the handling of that information and Kroll's /CSIdentity's security comes into question. Second, buying into the idea that WebWatcher can comprehensively find stolen information on the Internet is questionable. Cybercriminals often keep stolen information offline on their own servers and delay using or selling it. It may not surface until after the free service period for the monitoring expires.
But this is also not to imply that credit monitoring is a cure-all to protect your interests if your personal information has been stolen. Credit monitoring only monitors your credit bureau file for activity such as credit inquiries to issue credit. It does not cover the myriad other illegal and profitable activities that cyber criminals use your stolen personal information for, including taking out new services in your name such as cable or cell phone services, using your identity to create money-laundering accounts, create illegal passports, driver's license, health cards, etc., attacks on brokerage and retirement accounts, tax fraud, social security fraud, etc. Credit monitoring detects none of those activities.
Kroll says on their website that WebWatcher can "detect more types of identity theft than credit monitoring alone". So, the inference is there that this is a complement to credit monitoring, not a replacement or better solution.
Lawsuits against Marriott are already emerging. We are sure they will respond to both regulatory requirements and the court-of-public-opinion to do the right thing to protect their brand, and their customers. It may be that offering both identity monitoring and credit monitoring, a layered approach, much like how we build cyber defense strategies, would be the better solution.
What should I do?
Along with our recommendations in the original security alert found here, consider putting a credit freeze on your credit file, or a fraud alert. A credit freeze locks out anyone from accessing your file at the credit bureaus, which is usually done before issuing credit. You must specifically unlock your file if you are applying for credit somewhere. A fraud alert informs you if someone has accessed your file to establish credit somewhere and warns credit grantors to contact you before approving credit. It is up to a credit issuer to decide if they will take any action or contact you before issuing credit when they see an alert on your file. Unfortunately, Canadian credit monitoring agencies do not allow Canadians to put a credit freeze on their credit file, as is available in the U.S. and other countries.
NPC will continue to monitor this incident and will provide information for significant new developments as it may affect you.
Krebs on Security - Are Credit Monitoring Services Worth It?
Kroll - Identity Monitoring
Kroll - Starwood Guest Reservation Database Security Incident
The Wall Street Journal - Marriott's Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say