Star­wood data breach: Some ways to pro­tect your­self

Milwaukee Journal Sentinel - - Business - Mike Snider

So you find your­self swept up in po­ten­tially one of the largest data breaches in his­tory – among as many as 500 mil­lion Star­wood Ho­tel cus­tomers whose per­sonal data may have been ac­cessed. What do you do now?

Cy­ber­se­cu­rity and on­line fraud ex­perts stress vig­i­lance to pro­tect your iden­tity and other ac­counts from be­ing at­tacked.

“The po­ten­tial dam­age can­not be un­der­stated,” said Paige Boshell, a pri­vacy and cy­ber­se­cu­rity at­tor­ney with Pri­vacy Coun­sel in Birm­ing­ham, Al­abama. “This type of in­for­ma­tion may be re­tained and used over and over again for years.”

Among the po­ten­tially-ac­cessed data be­long­ing to cus­tomers who made reser­va­tions at Star­wood ho­tels, Mar­riott said as many as 327 mil­lion cus­tomers’ data in­cludes some com­bi­na­tion of name, mail­ing ad­dress, phone num­ber, email ad­dress, pass­port num­ber, Star­wood Pre­ferred Guest ac­count in­for­ma­tion, date of birth, gen­der, ar­rival and de­par­ture in­for­ma­tion, reser­va­tion date, and com­mu­ni­ca­tion pref­er­ences.

Also, for some Star­wood guests, the data may also in­clude pay­ment card num­bers and pay­ment card ex­pi­ra­tion dates, but the pay­ment card num­bers were en­crypted, Mar­riott said.

Mar­riott said the breach does not in­volve reser­va­tions made at Mar­riott ho­tels, as those are main­tained on a sep­a­rate reser­va­tion sys­tem on a dif­fer­ent net­work. Star­wood Ho­tels in­clude W Ho­tels, St. Regis, Sher­a­ton Ho­tels & Re­sorts, Westin Ho­tels & Re­sorts, Ele­ment Ho­tels, Aloft Ho­tels, The Lux­ury Col­lec­tion, Trib­ute Port­fo­lio, Le Méri­dien Ho­tels & Re­sorts, Four Points by Sher­a­ton and De­sign Ho­tels. Star­wood branded time­share prop­er­ties are also in­cluded.

Mar­riott has be­gun email­ing guests whose email ad­dresses are in the data­base.

The com­pany said it will pro­vide free of charge on­line ac­count mon­i­tor­ing soft­ware We­bWatcher to guests for one year. The ser­vice re­im­burses fraud loss of up to $1 mil­lion. U.S. cus­tomers who use it will also get fraud con­sul­ta­tion ser­vices and re­im­burse­ment cov­er­age for free.

To en­roll in We­bWatcher and get ad­di­tional in­for­ma­tion about the breach, cus­tomers can go to info.star­wood­ho­tels.com.

“Con­sumers should also rec­og­nize that the ef­fects of this breach are likely to af­fect other on­line ac­counts they pos­sess in­clud­ing on­line bank­ing, health­care in­for­ma­tion, work­place data and so­cial me­dia ac­counts,” said Aman Khanna, vice pres­i­dent of prod­ucts at Moun­tain View, Cal­i­for­nia-based se­cu­rity firm Thum­bSignIn.

Other steps con­sumers should take to bol­ster se­cu­rity:

Con­tact any credit card com­pany that you might have a card on file with Star­wood or Mar­riott, even ex­pired or closed ones, Boshell said, to flag the card ac­counts and change card num­bers.

In the wake of data breaches, con­sumers should be wary of third par­ties at­tempt­ing to gather in­for­ma­tion by de­cep­tion, so-called “phish­ing” at­tempts, in­clud­ing through links to fake web­sites.

Cur­rent phish­ing at­tempts in­volve send­ing a per­son­al­ized email, claim­ing to have com­pro­mised all your per­sonal data and your pass­word is “xxx” where xxx is the com­pro­mised pass­word, “prey­ing on your vul­ner­a­bil­ity to be­lieve that,” said Marty Pu­ranik, a cy­ber­se­cu­rity ex­pert and CEO of At­lantic.Net, a cloud host­ing com­pany head­quar­tered in Or­lando, Florida.

“So be aware that if some­one at­tempts to take ad­van­tage of you, be­cause they have some of your data they will not nec­es­sar­ily have much,” he said. Even though the com­pro­mised pass­words in this case may be en­crypted, pass­word crack­ers can usu­ally break easy ones, he said.

If you think you may be the vic­tim of iden­tity theft – or your per­sonal data has been mis­used – im­me­di­ately con­tact law en­force­ment and the Fed­eral Trade Com­mis­sion. On the FTC’s site, it rec­om­mends con­sumers get a free, oneyear fraud alert from one of three credit bu­reaus – Equifax, Ex­pe­rian, or Tran­sUnion.

“An­nual credit re­ports and credit freezes are free,” Boshell said. “Freezes en­able the con­sumer to re­view each ap­pli­ca­tion of credit made in his or her name and stop fraud as it is hap­pen­ing.”

If you think your pass­port num­ber is in­volved, treat your pass­port as if it were stolen and con­tact the State Depart­ment to re­place it with a new num­ber.

Change your pass­word. Do not use eas­ily guessed pass­words or the same pass­words for mul­ti­ple ac­counts. (FYI: Mar­riott said it will not ask you to pro­vide your pass­word by phone or email.) And on any on­line ac­count that of­fers it, you should set up two-fac­tor au­then­ti­ca­tion, which sends a text mes­sage to your phone num­ber with a ver­i­fi­ca­tion code when you log into an app or site.

“This is one of the sim­plest and most ef­fec­tive ways to se­cure ac­counts and most banks and health­care in­sti­tu­tions of­fer this pro­tec­tion for free,” Khanna said.

Re­view your credit card state­ments for unau­tho­rized ac­tiv­ity and im­me­di­ately re­port any to your bank.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.