Here’s How

Here’s every­thing you need to know.

PCWorld (USA) - - Contents - BY MICHAEL SI­MON

It’s been a cou­ple of months since a ma­jor com­pany un­veiled a data breach that af­fected mil­lions of peo­ple ( go.pcworld.com/tmdb), so it’s time for a new one. The Mar­riott ho­tel chain has an­nounced ( go.pcworld.com/ dbsc) a ma­jor data­base breach that could af­fect any­one who stayed at its 6,700 world­wide Star­wood ho­tel prop­er­ties since 2014—up to 500 mil­lion peo­ple in to­tal.

That’s a lot of peo­ple and a long stretch of time, so check out our FAQ:

WHAT HAP­PENED?

Mar­riott says it re­ceived an alert from an in­ter­nal se­cu­rity tool on Septem­ber 8 warn­ing of an at­tempt to ac­cess the Star­wood guest reser­va­tion data­base in the United States. In its in­ves­ti­ga­tion of the in­ci­dent, Mar­riott learned that an unau­tho­rized party gained ac­cess to the com­pany’s cus­tomer data­base and “copied and en­crypted in­for­ma­tion, and took steps to­ward re­mov­ing it.”

HOW DID THE HACK­ERS GET IN?

Mar­riott isn’t be­ing to­tally clear here, but it ap­pears as though this wasn’t the usual ex­ploit of a vul­ner­a­bil­ity. Rather, some­one with­out the proper cre­den­tials was able to ac­cess the Mar­riott reser­va­tion data­base to make a du­pli­cate en­crypted copy of cus­tomer in­for­ma­tion, which was then pre­sum­ably taken out­side the sys­tem.

HOW FAR BACK DOES THE BREACH GO?

Mar­riott says the unau­tho­rized ac­cess goes back to 2014.

WHY WASN’T MAR­RIOTT ALERTED SOONER?

Also un­clear, but per­haps the unau­tho­rized party only re­cently started ac­cess­ing the sys­tem. Or pos­si­bly Mar­riott re­cently in­stalled new se­cu­rity soft­ware that was able to de­tect the ac­cess.

WHY ARE WE JUST HEAR­ING ABOUT THIS NOW?

Mar­riott says it was only able to de­crypt the files on Novem­ber 19, and is still work­ing to un­cover the scope of the breach.

WHAT WAS STOLEN?

Mar­riott is still sort­ing through the data it was able to re­cover, but for most cus­tomers, the fol­low­ing data may have been stolen: name, mail­ing ad­dress, phone num­ber, email ad­dress, pass­port num­ber, Star­wood Pre­ferred Guest (“SPG”) ac­count in­for­ma­tion, date of birth, gen­der, and ar­rival and de­par­ture in­for­ma­tion, along with reser­va­tion dates and com­mu­ni­ca­tion pref­er­ences.

SHOULD I CHANGE MY PASS­WORD?

Mar­riott hasn’t said whether any

ac­counts were ac­cessed or pass­words stolen, but it cer­tainly can’t hurt. But this was a breach of the com­pany’s in­ter­nal data­base of ho­tel guests, not on­line ac­counts.

Pass­word man­agers make it easy to cre­ate strong, unique pass­words for ev­ery site you visit. If you aren’t us­ing one yet, our guide to the best pass­word man­agers can help you pick a great one ( go.pcworld.com/pwmn).

WHAT ABOUT CREDIT CARD IN­FOR­MA­TION?

For some users, Mar­riott says pay­ment card num­bers and pay­ment card ex­pi­ra­tion dates were in­cluded in the stolen data, but card num­bers were en­crypted us­ing Ad­vanced En­cryp­tion Stan­dard en­cryp­tion (AES-128).

SO MY CREDIT CARD IS SAFE?

Pos­si­bly not. As Mar­riott ex­plains: “There are two com­po­nents needed to de­crypt the pay­ment card num­bers, and at this point, Mar­riott has not been able to rule out the pos­si­bil­ity that both were taken.”

WHAT ABOUT MY SPG POINTS?

Mar­riott says there is no ev­i­dence that any loy­alty points were ob­tained, but you should check your ac­count for any sus­pi­cious ac­tiv­ity.

HAS THE BREACH BEEN STOPPED?

Pre­sum­ably, but Mar­riott doesn’t ex­plic­itly say whether the unau­tho­rized ac­cess has been shut down. How­ever, the chain is work­ing with law en­force­ment agen­cies and reg­u­la­tory au­thor­i­ties, so the like­li­hood of a con­tin­ued breach is ex­tremely low.

WHAT IS MAR­RIOTT DO­ING TO STOP FU­TURE BREACHES?

Again, it’s not to­tally clear if the hacker ex­ploited a vul­ner­a­bil­ity or merely used an unau­tho­rized pass­word, but Mar­riott says it is de­vot­ing the re­sources nec­es­sary to phase out Star­wood sys­tems and ac­cel­er­ate the on­go­ing se­cu­rity en­hance­ments to our net­work.

HOW DO I KNOW IF MY DATA WAS AC­CESSED?

Mar­riott be­gan send­ing emails on a rolling ba­sis on Novem­ber 30 to af­fected guests, so be sure to check your email, par­tic­u­larly your spam folder, to see if you’ve re­ceived one.

WHAT CAN I DO IF I AM AF­FECTED?

Mar­riott has set up a ded­i­cated call cen­ter to an­swer any ques­tions you may have. U.S. Cus­tomers can call 877-273-9481 seven days a week to reach a rep­re­sen­ta­tive.

SHOULD I CAN­CEL MY CREDIT CARD?

That is not a bad idea. If you know the credit card or cards that are on file with Mar­riott or Star­wood ho­tels, can­cel­ing them now is the best way pre­vent any fu­ture malfea­sance.

WHAT ELSE CAN I DO?

Mar­riott is pro­vid­ing all guests in the U.S., Canada, and the UK with the op­por­tu­nity to en­roll in Kroll’s Web Watcher Mon­i­tor­ing Ser­vice ( go.pcworld.com/krll), which tracks sites where per­sonal in­for­ma­tion is shared and alerts you if ev­i­dence of your per­sonal in­for­ma­tion is found.

Our guide to what to do af­ter a data breach ( go.pcworld.com/5dtb) can help you min­i­mize your ex­po­sure to any pil­fered in­for­ma­tion. Good luck.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.