On Friday, November 30, 2018, Marriott announced its Starwood guest reservation database was breached.  The database contains the personal information on over 500 million guests who made reservations at Starwood properties. Starwood properties include the posh W hotels, Sheraton, and Westin Hotels & Resorts.

Marriott's press release stated that  “For approximately 327 million of these guests, information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

Payment card numbers and expiration dates may have been exposed

Payment card numbers and expiration dates were encrypted using Advanced Encryption Standard Encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

The severity of the Marriott breach cannot be overstated.

The severity of the Marriott breach cannot be overstated.  It dwarfs the Equifax breach of 2017 where 143 million American consumers’ sensitive information was exposed.  In fact, the Marriott breach is the second largest breach of all time only bested by the Yahoo data breach of 2013 where 3 billion users personal details were exposed. The sheer volume of individuals’ data exposed is overwhelming. The worse part is Marriott’s own investigation of this incident revealed signs of unauthorized access to their database as far back as 2014!

Repercussions for Marriott

Hours after Marriott announced its data breach a class action lawsuit was filed.  It’s seeking $12.5 billion in costs and losses or about $25 for each of the 500 million customers affected. Yahoo paid $85 million for a 2014 hack and Uber just agreed to pay $148 million to settle a class action lawsuit for its 2016 data breach.  Additionally, since international customers are involved Marriott could face GDPR penalties for European customers whose data was exposed as high as $11.3 million.

Marriott does carry cybersecurity liability insurance but said:

“Although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future, such insurance may not be available to us on commercially reasonable terms, or at all.”

The New York Post reports that the disclosure triggered probes from the FBI and New York Attorney General Barbara Underwood.

New York Senator Chuck Schumer released a statement requesting Marriott pay for the expenses new documents for those impacted by this breach. The Senator demanded that Marriott foot the $110 passport replacement cost for the 327 million whose passport information was exposed.

So what happens now?  What’s my risk?

If you are part of the Starwood Rewards program, it’s very likely if you are affected by this breach. You could start receiving phone calls combined with emails claiming to be from Marriott, and they will be almost impossible to spot.  Cybercriminals have extensive information on their potential victims now so they’ll look very legit. They’ll include your full first and last name and might even include recent booking and hotel stays you’ve had. For more information on How to Spot and Avoid Phishing Emails read our blog on that topic.

Also, expect traditional identity theft and fraud incidents.  With the extensive information available to the cybercriminals it will be relatively straightforward to impersonate you and gain access to your bank accounts, credit card accounts, apply for loans, open mobile phone accounts, and commit fraud in your name.  Identity theft is a serious crime and could make you a victim of Identity Theft for life. Learn more on what to expect if you’re a victim of identity fraud from our blog on that topic.

What can I do to protect myself?

Monitor your bank and credit card accounts

You should closely monitor all of your bank and credit card accounts and frequently review your credit reports for signs of activity that has not been generated by you.

Apply for a new passport

If you are part of the group whose passport information was exposed you should apply for a new password to reduce the full profile an identity thief has on you currently.  With your passport information, a cybercriminal has identification documentation that will verify with the U.S. government. What better proof do they need to prove that they are you?

Put a Credit Freeze or fraud alert on your credit file

Putting a credit freeze or fraud alert on your credit file will make it more difficult for someone to open credit in your name.  However, it won’t stop them from making charges to your existing credit cards or accounts.

File your taxes early
As soon as you have the tax documents you need to file your taxes immediately.  Cybercriminals are more and more frequently stealing your tax refund. Between the Equifax breach and the Marriott breach, they have all the information to successfully impersonate you to the IRS.

Purchase identity theft protection.  

Marriott is insured for this sort of thing.  Why shouldn’t you be? Identity Armor has been protecting Americans from the perils of identity theft and fraud since 2014.  We have plans starting as low as $5.99 per month that will provide you the protection and peace of mind you need. Identity Armor will monitor your credit profile at Transunion and scour the Dark Web for any traces of your stolen data.  If we detect any changes to your credit profile, we will notify you via email and an SMS message to your mobile device.

Call us at (888) 556-7609 or click here to learn more about our identity theft protection plans.