Posted on December 3rd, 2018
You have likely heard about the data breach at Marriott that impacted 500 million people. The best full coverage of this can be read at https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach. My inbox was full of questions about this breach, so here are a few thoughts. Note that I will have a detailed summary of the breach and response on this week’s podcast, due out Friday, December 7, 2018.
1) This is not technically a Marriott breach. The breach happened to the Starwood Hotel chain, which Marriott happened to recently purchase. If you stayed at an actual Marriott property, you are not likely affected. If you stayed at a Starwood property over the past four years, such as a Westin, you probably are in this breach.
2) If you are in this breach, the attackers now have your name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. This is quite invasive.
3) Marriott is offering free credit monitoring for one year. I do NOT recommend that you enroll in this. Instead, freeze your credit. (Guide at https://inteltechniques.com/data/workbook.pdf).
4) Change your password for your Starwood Preferred Guest Rewards Program immediately. If you used that password anywhere else, change all references immediately.
5) Watch out for breach-related scams. Email phishing attacks will start to use this incident as bait to get you to click or download things you should not.
6) This is not a Marriott problem, this is a global problem. This does not make Hilton any more secure than Marriott. Every hotel business is vulnerable. This is why I am very selective about providing any personal details to a company. I have always used an alias name at hotels over the past ten years, and paid with either a secondary alias card or a Privacy.com card in an alias name. Some have accused me of being paranoid. I am sure that I am in this breach, but under an alias, with a fake address, a burner telephone number, and a unique form of payment that can be easily closed. I have little concern. Will this change any of your behaviors when companies ask for your name, address, cell, etc?
Please listen to my podcast Friday for many more details and strategies.