By now, you’ve likely heard about the massive data breach of Marriott’s Starwood guest reservation database. If you haven’t: The info of nearly 500 million people may have been compromised in the hack, making it one of the largest breaches of consumer data in history, and one that might have spanned over the past four years.
The hotel chain said it first learned of a possible breach back in September. According to NBC News, a subsequent investigation revealed there had been “unauthorized access since 2014” and that an “unauthorized party had copied and encrypted information.” Marriott later determined on November 19 that the information came from the Starwood reservation database. Starwood operates dozens of prominent hotel brands, including Westin, W Hotels, Ritz-Carlton, and all Marriott properties including Courtyard by Marriott, Fairfield by Marriott, and SpringHill Suites by Marriott.
“For about 327 million of the guests … the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
Marriott says that “for some individuals, the information copied also included payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point Marriott has not been able to rule out the possibility that both were taken.”
What Should You Do?
For starters, Marriott set up a site with FAQs and a dedicated call center line. Marriott will begin sending emails to affected customers on a rolling basis. If you are indeed affected by the breach, there are some steps you can consider.
First off, change your Starwood password, and update any other accounts where you use the same password. Second, it’s a good idea to monitor your credit card activity and review any past activity. Even though credit card data was encrypted and therefore less likely to be stolen, Marriott isn’t guaranteeing anything beyond covering free personal-data monitoring from WebWatcher for one year.
Beyond that … it’s a little tricky. The most sensitive piece of data involved in the breach is customers’ passport information. Passport numbers can be used for a wide range of counterfeit activities, not the least of which is (obviously) creating fake passports. But thieves can also use passport numbers to open fake credit card accounts and other financial accounts in your name. There’s really only one extreme solution to the passport problem, unfortunately, which is to renew your passport.
You can also freeze your credit. This restricts access to your credit reports, which will hinder attempts to open accounts in your name. You can temporarily lift the freeze when you need to provide access to your report for your own needs, and you can freeze your credit indefinitely.
Readers, have you stayed in a Starwood property over the past four years?