Starwood data breach: Some ways to protect yourself
So you find yourself swept up in potentially one of the largest data breaches in history – among as many as 500 million Starwood Hotel customers whose personal data may have been accessed. What do you do now?
Cybersecurity and online fraud experts stress vigilance to protect your identity and other accounts from being attacked.
“The potential damage cannot be understated,” said Paige Boshell, a privacy and cybersecurity attorney with Privacy Counsel in Birmingham, Alabama. “This type of information may be retained and used over and over again for years.”
Among the potentially-accessed data belonging to customers who made reservations at Starwood hotels, Marriott said as many as 327 million customers’ data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Also, for some Starwood guests, the data may also include payment card numbers and payment card expiration dates, but the payment card numbers were encrypted, Marriott said.
Marriott said the breach does not involve reservations made at Marriott hotels, as those are maintained on a separate reservation system on a different network. Starwood Hotels include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
Marriott has begun emailing guests whose email addresses are in the database.
The company said it will provide free of charge online account monitoring software WebWatcher to guests for one year. The service reimburses fraud loss of up to $1 million. U.S. customers who use it will also get fraud consultation services and reimbursement coverage for free.
To enroll in WebWatcher and get additional information about the breach, customers can go to info.starwoodhotels.com.
“Consumers should also recognize that the effects of this breach are likely to affect other online accounts they possess including online banking, healthcare information, workplace data and social media accounts,” said Aman Khanna, vice president of products at Mountain View, California-based security firm ThumbSignIn.
Other steps consumers should take to bolster security:
Contact any credit card company that you might have a card on file with Starwood or Marriott, even expired or closed ones, Boshell said, to flag the card accounts and change card numbers.
In the wake of data breaches, consumers should be wary of third parties attempting to gather information by deception, so-called “phishing” attempts, including through links to fake websites.
Current phishing attempts involve sending a personalized email, claiming to have compromised all your personal data and your password is “xxx” where xxx is the compromised password, “preying on your vulnerability to believe that,” said Marty Puranik, a cybersecurity expert and CEO of Atlantic.Net, a cloud hosting company headquartered in Orlando, Florida.
“So be aware that if someone attempts to take advantage of you, because they have some of your data they will not necessarily have much,” he said. Even though the compromised passwords in this case may be encrypted, password crackers can usually break easy ones, he said.
If you think you may be the victim of identity theft – or your personal data has been misused – immediately contact law enforcement and the Federal Trade Commission. On the FTC’s site, it recommends consumers get a free, oneyear fraud alert from one of three credit bureaus – Equifax, Experian, or TransUnion.
“Annual credit reports and credit freezes are free,” Boshell said. “Freezes enable the consumer to review each application of credit made in his or her name and stop fraud as it is happening.”
If you think your passport number is involved, treat your passport as if it were stolen and contact the State Department to replace it with a new number.
Change your password. Do not use easily guessed passwords or the same passwords for multiple accounts. (FYI: Marriott said it will not ask you to provide your password by phone or email.) And on any online account that offers it, you should set up two-factor authentication, which sends a text message to your phone number with a verification code when you log into an app or site.
“This is one of the simplest and most effective ways to secure accounts and most banks and healthcare institutions offer this protection for free,” Khanna said.
Review your credit card statements for unauthorized activity and immediately report any to your bank.