Hundreds of millions of consumers who provided information to Marriott-owned Starwood Hotels & Resorts should freeze their credit immediately, a credit-card industry expert says.
“I’m recommending a credit freeze, because I think the biggest risk from this breach is that a criminal would use the stolen info to create an unauthorized account in someone’s name,” says Ted Rossman, an industry analyst for CreditCards.com. Freezing credit is a simple procedure, he says.
Marriott announced Nov. 30 it learned 11 days earlier that there was “unauthorized access” to the Starwood guest reservation database on, or before, Sept. 10. An investigation also determined that there had been “unauthorized access to the Starwood network since 2014,” the hotel chain said.
The risk of a crook using a victim’s credit card, however, “is pretty low,” Rossman says.
“The stolen payment info was encrypted, and, even if the bad guys figure out how to decrypt it, unauthorized credit card charges are easy to get reversed. It’s much more serious when a bad actor opens a new account in your name, using your address, date of birth, passport number and other sensitive info exposed by a data breach like the one we just learned about at Starwood Hotels.”
On the San Diego waterfront with a 466-slip marina, the Marriott Marquis is popular with vacationers, business travelers and convention attendees. (Photo: Getty)Getty
Marriott says it believes the hacked Starwood database contains information about up to 500 million guests who made a reservation at a Starwood property. For 327 million of those guests, the information includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.”
“For some,” Marriott says, “the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption. There are two components needed to decrypt the payment card numbers, and, at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.”
Marriott International has 30 hotel brands with more than 6,700 properties in 129 countries and territories. Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
The data breach, Rossman says, “is one of the most significant data breaches in history” because of the large number of people affected and “the sensitivity of the personal information that was stolen.”
With such data exposed, consumers should contact the three major credit bureaus — Experian, Equifax and TransUnion — and freeze their credit, Rossman says.
“A credit freeze is the best way to combat identity theft,” he says. “Credit monitoring just lets you know something bad happened; a credit freeze prevents unauthorized accounts from being opened in the first place.”
Consumers can do freeze their credit online, by phone or by mail, Rossman says. “A credit freeze lasts indefinitely. When you want to legitimately apply for new credit, you need to contact each of the three bureaus to lift the freeze.”
Marriott says it began notifying by email on Nov. 30 “affected guests whose email addresses are in the Starwood guest reservation database.” The hotel chain reported the hacking to law enforcement, and “we deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and CEO.
“We fell short of what our guests deserve and what we expect of ourselves,” Sorenson said. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
To help guests monitor and protect their information, Marriott says it has established “a dedicated website and call center” to answer questions about the security breach and is offering one-year free enrollment in WebWatcher. WebWatcher, the hotel chain says, “monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.”
Guests from the United States who activate WebWatcher will also be provided free fraud consultation services and reimbursement coverage, Marriott says. WebWatcher can be activated by clicking on one’s country of residence at info.starwoodhotels.com.
Phil Quade, the chief information security officer of network security company Fortinet, says its been reported that the Marriott/Starwood data breach “was enabled by compromising encryption keys for what was otherwise a strong encryption algorithm.”
Encryption, used to scramble information to make it private and check whether information has been improperly modified, “is one of the few silver bullets in the cybersecurity business,” says Quade whose company provides security solutions to companies and government agencies. “Correctly implemented, encryption is invulnerable to hacks by criminals and nation states. The problem, though, is that it is notoriously easy to make mistakes in its implementation and/or in the handling of its unlock keys.”
Though the Marriott breach exposed customers’ names, addresses and related information, it could have been worse, Quade says.
“While not intending to paint a too scary view of the future, it could have been more,” he says. “Hotels and buildings are increasingly being instrumented with the vaguely-sounding Internet of Things — small but prolific devices that can measure all sorts of personal things such as what time you left/entered your room, what you watched on your TV, what services you used during your stay and even what items you used/took in your room.”
The good news is that security solutions are available today “to address the convergence of cyber things with physical things,” Quade says. “There is no privacy without robust cy-phy security.”