The Marriott Breach: What Happened and What You Should Do About It

November 30, 2018 Published Article

Yet another unfortunate reminder that the threat to your privacy and your business by hackers is real and not close to abating.  Marriott International Inc. announced today what may be the second largest data breach in history.  If you are a consumer or a business, here is what you need to know about what happened and what steps you need to take if you are affected.

What Happened

On September 8, 2018, Marriott received an alert about an unauthorized attempt to access its Starwood guest reservation database. (Marriott acquired Starwood in September 2016.)  
An investigation revealed that hackers had access to that database since 2014.  The hackers not only copied private consumer data, but they also encrypted it before removing it.  Marriott was not able decrypt the information until November 19, 2018.  
At that time, Marriott determined that the stolen information includes various combinations of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival/departure information, reservation dates, and communication preferences.  The theft affects up to 327 million consumers who made reservations at a Starwood property.  While Marriott had encrypted credit card information using Advanced Encryption Standard, Marriott cannot rule out the possibility that the hackers stole the encryption keys needed to decrypt that data. 

What You Should Do About it

Marriott is in the process of sending e-mails on a rolling basis to affected consumers whose email addresses are in the Starwood guest reservation database.  However, everyone should be proactive by calling Marriott’s dedicated call center set up to answer questions about the incident (open 7 days a week: 1-877-273-9481; numbers for other countries are available at answers.kroll.com).
Those affected by the breach should do the following as soon as possible:

  1. Change the passwords on all your accounts immediately; 
  2. Review your accounts for suspicious activity and be diligent about monitoring them going forward, including immediately contacting all of your banks and credit card companies with any concerns; 
  3. Use a separate card for online transactions, which makes monitoring for suspicious activity less burdensome; 
  4. Visit answers.kroll.com to enroll in Webwatcher, which monitors websites and generates an alert if your personal information is found (Marriott will pay for one year of this service); 
  5. Be on heightened alert for phishing attempts when you review your e-mail; and
  6. Review all of your accounts to determine whether you can and should delete unnecessary personal information.  

Remember: Being Vigilant is the Key

What liability Marriott will face and whether insurance will cover the losses caused by the breach is an open question.  However, this is another unfortunate reminder that consumers and businesses need to protect themselves from hackers.  The losses from not doing so could prove catastrophic.