Marriott has announced a breach of their Starwood reservation database which has exposed the personal information of 500 million people. Starwood hotels include: W Hotels, St. Regis, Sheraton Hotels and Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. This breach impacts anyone who made a reservation between 2014 and September 18, 2018.
Marriott has confirmed that hackers were able to access names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender information, Starwood loyalty program account information as well as reservation information. Credit card numbers and expiration dates were potentially exposed. Marriott has set up a website (https://answers.kroll.com) containing incident information, resources, FAQs, and customer next steps, including free WebWatcher enrollment. WebWatcher monitors monitors sites where personal information is shared and notifies consumers if their personal information is found on these sites. U.S. guests who enroll in WebWatcher will also receive free fraud consultation services and reimbursement coverage.
As phishing attempts related to this breach will likely arise, Marriott states that emails to customers concerning this breach will not have attachments or requests for information. The FTC advises that the safest way to access breach information is via the Marriott website: https://answers.kroll.com.
Recommendations:
For those who have made a reservation at a Starwood hotel during the period impacted by the breach (2014- September 18, 2018):
- Monitor your financial accounts to ensure there are no unauthorized transactions. Many credit card providers offer a service whereby you can request notification (by text or email) of charges that exceed a certain amount.
- Change your Marriott/Starwood account password even if your account has not been reported as compromised. This is a simple step which may protect you from possible negative impacts.
- Place a fraud alert on your credit files. Fraud alerts warn creditors that you may be a victim of identity theft and that they should verify that anyone seeking credit is really you.
- Consider a credit freeze so that identity thieves will be unable to open new lines of credit.
- Fraud alerts and credit freezes are now free services. For more information, please see: the following blog posts from the NYU IT Security News & Alerts blog: