The Marriott International hotel chain has revealed that it has suffered a massive data breach, affecting 500 million guests between 2014 and September, 2018. If you’ve stayed at one of the company’s Starwood properties within this period, it’s likely that your personal details—like name, date-of-birth, passport number, and even credit card details—may now be in the hands of criminals.
Here’s what you need to do now.
How did the Marriott data breach occur?
Firstly, let’s look at what happened. Marriott was informed in September that a breach had occurred. The hotel chain operates around 6,700 properties across the world, including Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Meridien, Tribute, Design Hotels, Elements, and the Luxury Collection. All these hotels were compromised.
The Residence Inn and Ritz Carlton, which operate on a separate reservation system, were not affected, the company says.
The hackers accessed the database on or before September 10, 2018. They pulled data back to 2014. An internal investigation by Marriott found that an “unauthorized party had copied and encrypted information, and took steps toward removing it.” The credit card info that was taken was, according to Marriott, encrypted, meaning there is some uncertainty as to whether the criminals would be able to use the payment details.
In total, 327 million people had their information—including names, phone numbers, email addresses, passport numbers, and dates of birth—exposed. For millions of others, credit card numbers and card expiration dates were obtained by the hackers. Even if the encrypted payment details cannot be used, the other information alone could be used to steal your identity and open bank accounts, credit cards, or loans in your name.
This is being called the second largest corporate data breach in history, behind only Yahoo, which had a breach to the tune of 3 billion accounts. Hotel chains are a key target for hackers as they typically hold a wealth of personal data and yet they don’t have the security infrastructure of the banking industry.
How do you know if you were affected?
Marriott says it will email customers who may have been affected soon. It has also set up a website to help concerned Marriott guests learn more.
What can you do to protect yourself?
1. Monitor your accounts for suspicious activity
Go through your bank statements with a fine-tooth comb and look for any suspicious activity. If you think something looks off, contact your bank’s fraud department immediately. Also, check your credit report for random accounts opened up in your name. You can do this via Identity Theft Protection services or simply by using free apps like Credit Karma.
2. Change your password
It’s always good practice to change your passwords, but if you’re a victim, you’ll want to make this a priority. Don’t just pick a password that is based on real words, your date of birth, or mother’s maiden name. Hackers have sophisticated tools that will figure it out in seconds. Instead, consider a password manager to create unique passwords for each account. And best of all, it will do the remembering for you so you don’t have to.
3. Avoid saving credit card information on websites
It’s convenient to store your credit card details on a website for next time, but doing so means it’s much more likely that data will be stolen in the event of a breach. While inputting your credit card details each time won’t keep you totally secure, it is safer than saving the details.
If you can, pay via PayPal or other apps. This way, your credit card details will not be vulnerable.
4. Open a separate credit card for online transactions
If you have a designated credit card that you only use for online shopping, it’ll be much easier to determine if someone is using your information. If your bank statement is filled with coffee payments, grocery shopping, and other bills, it’s easy for a few rogue payments to slip through the net.
5. Limit the information you share
We make it far too easy for hackers. A quick browse of your social media channels likely gives away many of the personal details needed for a hacker to build a fake profile and steal your identity. Think kid’s names, birthdates, mother’s maiden name, family pets, phone number, email, etc. In most cases, we willingly hand this info over to anyone who visits our page.
Make your accounts private and do not voluntarily give away any info you don’t have to.
6. Use Hotspot Shield whenever you’re connected to public WiFi
Hotspot Shield is a free app that encrypts your WiFi network, making it impenetrable to hackers. Whenever you connect to free, public WiFi—like at a coffee shop or hotel—your data is exposed to anyone on that same network. By using Hotspot Shield on your mobile and desktop device, you can ensure you are protected.