Marriott is doing damage control after the discovery of a huge data breach that began four years ago. The hackers had access to Marriott’s Starwood Reservation system and the personal information for half a billion customers. It’s a huge wake up call for all consumers to protect their identities so that hackers who get this kind of information, can’t use it.
Marriott issued a statement at the end of November saying that it received an alert on September 8th from an internal security tool about an database access attempt. That’s when Marriott began investigating what it found to be a massive hacker attack on its Starwood network that began in 2014. It says that an unauthorized party had copied and encrypted information, and had “taken steps to remove it.” When Marriott decrypted that information, it found that hackers were trying to take guest reservation data.
Personal Information Compromised
It says the data that hackers had access to a combination of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood account information, dates of birth, gender, and travel dates for about 327 million people. The accessed information also included credit card numbers and expiration dates, but that data was encrypted by Starwood and Marriott has not yet determined if the hackers were able to decrypt it. The rest of the compromised data was mostly limited to things like names and email addresses.
Security experts say this is the second largest data breach ever — second only to the 2013 Yahoo breach that impacted account information for some three billion people. But it’s larger than the Equifax breach last year, and it reveals that major corporate websites are still vulnerable to information theft by hackers.
One of the biggest surprises in this breach is the length of time that it took to notice the problem. The New York Times says that unlike other breaches, the Starwood data never popped up on the dark web. (1) That would have brought attention to the cyberattack much sooner. Marriott says it is working with leading security experts to determine what happened, and to make its system more secure. At this point, there’s no word on where this attack originated or a motive for taking this information.
Connected to Reservation Data
The breach affects people who made reservations from 2014 through September of this year at any of the Starwood hotels, which are owned by Marriott. Those hotels include Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Meridien, Tribute, Design Hotels, Element and the Luxury Collection. The breach did not affect Marriott hotels such as Residence Inn and the Ritz-Carlton because that reservation system has not yet been merged with the Starwood system, although there are plans to do that.
Marriott Notifying Customers
Marriott has been sending out emails to affected guests. It had also set up a call center and a dedicated website. The Washington Post reports that it will cover the costs of new passports “if a fraud has taken place.” (3) It appears that hackers won’t be able to create a fake passport with just a number, but there’s concern about the use of the number in combination with other personal information for the purpose of identity theft.
This incident has left many people wondering what Marriott is doing to beef up its security. It said in the press release that it’s working with security experts to make improvements. It says it is also accelerating the phase out its Starwood system, apparently as part of its plan to merge the two reservation systems.
Marriott Accused of Poor Response
Security experts say Marriott isn’t doing enough to protect people from phishing scams connected with those emailed warnings. They say that scammers often take advantage of situations like this by creating a domain name that looks official, and sending emails that trick people into going to a phony website and revealing their personal information.
Some security experts have taken it upon themselves to make sure that doesn’t happen with the Marriott emails by registering domain names that could be used by scammers. Rendition Infosec founder, Jake Williams, told TechCrunch, he registered the domain name email-marriot.com and others to keep away from scammers. (3) He said, “After the Equifax breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals.”
According to Williams, the other problem with the Marriott email response is the use of a third-party website to generate those emails. He says, the company should have generated those emails through its own website, to make it easier to see that they are legitimate.
Nick Carr, of security firm FireEye, also registered names that could be used by scammers to help protect the public. He told TechCrunch, “Hopefully this is one less site used to confuse victims.” But he says it’s important to “watch where you click.”
What Can You Do to Protect Yourself?
You may also want to take steps to protect your identity from hackers who may already have your information, If you haven’t done so already, security experts suggest that you “freeze” your credit reports. That’s the same as “locking” your credit reports, but freezing is free, and mandated by law. Locking will cost you a monthly subscription fee, but may also include other perks. For instance, if you pay about $5 a month at Experian, you can lock your credit report and check on your credit score at all three credit reporting agencies. You will also get a heads up on other kinds of data security, such as monitoring for unusual activity regarding your identity, including surveillance of the so-called “dark web.”
But, you don’t have to pay to simply freeze your credit reports. That will prevent the unauthorized use of your identity to open up new accounts. A credit freeze will last indefinitely and is easily lifted if you want to apply for new credit.
(1) NYT Article