Update: January 14, 2019—Marriott has revised the number of guests it believes were impacted by the November 2018 breach from approximately 500 million to 383 million, including 5.25 million guests whose unencrypted passport numbers were stolen. A class action lawsuit has been filed by more than 150 former Marriott guests in Maryland’s federal district court.
On September 8, 2018, Marriott received an alert about an attempt to access their Starwood guest reservation database and launched an investigation. On November 19, 2018, they were able to decrypt the information, revealing the full details of the security breach. In doing so, Marriott discovered that hackers had gained unauthorized access to the system back in 2014 and had gone undetected ever since.
So what does this mean for your executive?
Who and What the Breach Affected
Anyone who made a reservation through the Starwood guest reservation system on or before September 10, 2018 could be affected by the breach. This includes reservations made at a wide range of hotel chains associated with Starwood Hotels and Resorts, including:
- W Hotels
- St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotels & Resorts
- Four Points by Sheraton
- Design Hotels
- Starwood branded timeshare properties, such as Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, Vistana
According to Marriott, approximately 500 million guests’ information was stolen. While the exact combination of information taken from each person in unclear, the types of personal information that were stolen are vast and of a very serious nature.
Information exposed through the breach includes:
- Phone number
- Passport number
- Date of birth
- Starwood Preferred Guest (SPG) account information
- Reservation numbers
- Arrival and departure information
- Communication preferences
- Credit card numbers
- Credit card expiration dates
While Marriott can assure guests that the credit card information was encrypted in their system, they cannot guarantee that the keys to decrypt that information were not also stolen in the breach.
With any combination of the pieces of personal information listed above, a hacker (or those to whom they might sell the information) could easily make your executive a victim of identity theft, make false purchases on their credit cards, negatively affect their credit score, or at the very least have far too much information about their communication and whereabouts.
Understandably, if your executive was affected, this is a situation that needs to be dealt with swiftly.
If Your Executive was Affected
If your executive was affected by the breach, and their email was stored in the Starwood database, they should have received an email from Marriott on or after November 30, 2018. This email would have come from an email-marriott.com domain, to inform them of the breach and its impact on them.
Be on the lookout for email scams, though. Often hackers will use emails with similar domains to trick unsuspecting victims into giving away more personal information. For example, a domain of email-mariott.com or email-marriot.com could be used, and the majority of recipients would not notice the spelling error.
For this reason, Marriott has warned customers that legitimate emails from the brand will not ask for personal information. You should never—and you should remind your executive to never—give out confidential information to a source you do not trust completely.
If you haven’t received an email, you’ll still want to be thorough and double check that your executive wasn’t affected. Marriott has a dedicated website with information about the breach and their response to it, which you can visit for more information. They also have call centers for every country they operate in. The United States call center number is 877-273-9481, and is taking calls from 9 AM to 9 PM EST, every day.
Marriott has also offered those affected with one year of free WebWatcher service, which monitors websites where personal information is shared and notifies you if any of your information appears. For those in the United States, the service also includes fraud consultation services and reimbursement coverage.
Your Next Steps
If you know or are concerned that your executive’s information was stolen through the breach, there are several steps you can take moving forward to reduce or eliminate adverse effects resulting from the incident.
What to do if information has been stolen (as advised by the Federal Trade Commission):
- Monitor credit reports
- Scrutinize all credit card statements
- Put a fraud alert on credit files
- Put a free credit freeze on credit reports
Your executive may or may not want you to handle such sensitive tasks on their behalf, but at the very least, you can help educate them on these critical next steps.
There are also security measures you should be putting into place—whether or not your executive was affected this time. By taking extra precautions ahead of time, you can help prevent information exposure issues from arising in the future.
Steps to take before information has been stolen:
- Password Safety—Use different passwords for different websites and accounts you access on behalf of your executive, change passwords regularly and limit who has your passwords.
- Account Monitoring—Closely monitor your executive’s accounts for unexpected or suspicious activity, according to the level of access you’re given.
- Credit Card Safety—Limit the number of websites where your executive’s credit card information is stored, potentially opting instead for services like PayPal, Apple Pay or Google Pay. Also consider setting up a separate credit card specifically for online charges so that you can limit the impact of a possible future breach.
- Stay Up-to-Date—Stay ahead of the curve by keeping track of news stories that could affect your executive’s safety or privacy.
If your executive’s information was stolen, the fault does not lie with you. It was Starwood’s guest reservation database that was hacked—not your personal computer. There is a limit to what you can do to protect your executive and their information, and you cannot necessarily stop every potential problem.
You can, however, reduce the risk of your executive’s information being compromised, and it is your duty to do your due diligence in this area. While the breach may not have been your fault this time, you should take the necessary steps to make sure that it is not your fault next time, either.
Use companies that you trust, and be selective when giving out information. That alone will go a long way in keeping your executive’s information secure.
Are you doing anything differently in response to Marriott’s breach? Let us know by leaving a comment below.