At first glance, the November 30th 2018 announcement that Marriott Hotels / Starwood had their reservation database hacked and 500 million client records stolen seems like just another data breach that we have all become accustomed to.
However the Marriott breach is no run of the mill event, here’s why:
1 – The Marriott breach is the third largest breach in history:
Marriott is the owner of some major brands that you likely have had dealing with and those were the hotels that were hacked. The affected hotels are:
Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Four Points by Sheraton and
- Aloft Hotels
- St. Regis
- W Hotels
- Element Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotels & Resorts
- Design Hotels
The scale of the Marriott / Starwood / Sheraton / Westin… data breach is only exceeded by Yahoo’s 2003 breach of user data and the Indian Government hack in 2008 that took election information. Third largest hack EVER is of historic proportions.
2 – The Marriott data breach included complete profile information
Most hacks are of credit cards and some user data like an email address. This breach included everything from Starwood reservation system including:
- Full Name
- Mailing address
- Phone number
- Starwood Preferred Guest account Information
so far this is pretty run of the mill… but here is where it gets very serious
- Passport Information
- Date of Birth
- Credit Card information
- Marriott’s damage control agency, Kroll, is quick to point out that SOME of these were encrypted making credit card information nearly useless… for SOME
- Travel Information
- You might not think travel information is a big deal but really is because if you travel on a pattern hackers can easily guess where you will be, and much more importantly, where you will not be (i.e. when your house and office will be empty). Speaking as a security professional, I can tell you from first hand experience that hackers love it when you are out of the office because that is the ideal time to contact your subordinates in an attempt to transfer money
With all of that information serious attacks on many of the companies (see item 10 above) and individuals involved is inevitable. It would be very easy for someone to steal your identity with that information. In addition to all of the mundane thing you think identity thieves perpetrate, they can also:
- take a second mortgage on your house
- borrow money against your cars
- have new credit cards (that you do not even have today) shipped to a new address
- sell your house
If you think that is paranoid or inaccurate, you are wrong. In Canada and the United States this called “Title Fraud” and the FBI calls it “House Stealing” and it is a growing concern:
…Statistics don’t exist when it comes to the annual number of all instances of real-estate fraud but estimates of damages range from $400-million to $1.5-billion in Canada annually, according to First Canadian Title, a title insurance company. …the firm declined to insure a mortgage twice a week based on the suspicion of fraud; the average mortgage was $360,000…
WHAT TO DO NOW
It is quite a surprise to find out that Marriott Hotels keeps its reservation system on a separate network and was not breached. What was breached was their Starwood reservation system and that means if you have dealt with W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels, you should act quickly.
Note that you do NOT have to be a Starwood Preferred Guest (SPG) member to have had your information stolen; if you had a reservation at any of those hotels your information has likely been compromised.
What you should do now is:
- If you made the huge mistake of using the same password on your Starwood account as any other sensitive sites (i.e. H&R Block tax prep, your bank, your insurance company, …) you need to immediately log into each one of those systems and change your password
- Register for WebWatcher for free under Marriott’s program. This service will check your name against the ‘dark web’ to see if your information is being sold or transmitted. It is far from a guarantee of safety but it is a good second step
- Marriott does not provide a link to register for this service so I suggest you call them at the number below
- Change your password with Starwood
- Consider joining the inevitable class action law suites that will come from this extremely serious breach
Shockingly, the support line that Marriott has setup is only working from 9am to 9pm Eastern Time. That is a gigantic fail for executives that work long hours (i.e. half of their customers) and for people that do not live in the Eastern Time Zone. I fall in to both of those categories and I am not very happy with the response from a company that has already put me at risk.
Email: [email protected]
I suggest you contact them directly to help determine your situation and get more up to date information.