Update: Marriott now says the breach wasn’t as bad as originally reported, lowering the victim number to 383 million.
What can you do if you’re one of the 500 million Marriott International Inc. guests affected by the massive data breach announced today? According to the company’s announcement, the breach affects guests who stayed at the Marriott’s Starwood properties from 2014 through Sept. 10, 2018. For approximately 327 million of impacted guests, Marriott says the breached information includes some combination of:
- Mailing address
- Phone number
- Email address
- Starwood Preferred Guest (“SPG”) account information
- Arrival and departure information
- Reservation date
- Communication preferences.
Credit and debit card numbers were also included in the breach. While Marriott notes this information was encrypted according to the AES-128 standard, they do not yet know if the components required to decrypt these numbers have been compromised.
5 Steps to Protect your Data After This Breach
If you’ve made a reservation at a Starwood property in the last four years (this includes Sheraton, Westin, Four Points, many other brands, and Starwood-branded timeshares), take these steps to minimize your exposure:
Change your password. This should be your default response to the news of any hack that might involve your information. If you use the same password in multiple places, be sure to change your password everywhere.
Implement Multi-factor Authentication (MFA). A breached password is only useful if malicious actors can use it. A second step of authentication, like a code sent via SMS to your phone, can render that breached password useless (but you should still change your password).
Monitor your accounts. Marriott’s system was compromised for an extended period of time. Check your accounts weekly.
Consider freezing your credit. You can put a credit hold on your accounts, but in most U.S. states, the hold remains permanent until you request a thaw. This guide from NerdWallet provides more details.
Watch out for phishing attempts. “Phishing attempts can be more credible when someone has access to actual personal details,” says Auth0 Principal Security Engineer Emory Lundberg. This hack includes data that could make social engineering attempts easier. For more advice on avoiding phishing attempts, check out this post by Annybell Villarroel, Auth0 Security Operations Manager.
Marriot's Data Breach Response Plan
In addition, Marriott has taken the following steps to help guests monitor and protect their information:
Dedicated Call Center
Marriott has established a dedicated call center to answer questions you may have about this incident. The call center is open seven days a week and is available in multiple languages. Our dedicated call center may experience high call volume initially, and we appreciate your patience.
Marriott began sending emails on a rolling basis on November 30, 2018 to affected guests whose email addresses are in the Starwood guest reservation database.
Free WebWatcher Enrollment
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. Guests from the United States who complete the WebWatcher enrollment process will also be provided fraud consultation services and reimbursement coverage for free. Click on your country, if listed, to begin the enrollment process.
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.