Marriott International is dealing with the fallout after revealing a massive data breach affecting hundreds of millions of customers who stayed at Starwood-branded properties between 2014 and September 10, 2018.
The scope of the hack is one of the largest in the industry. Many are asking how it could have gone undetected for so long.
The world’s largest hospitality company put into place several initiatives for customers whose personal information, including name, date of birth, and address, has been stolen. A dedicated website (info.starwoodhotels.com) and call center have been established to field questions about the incident.
Marriott announced Tuesday it will pay for new passports, with as many as 327 million traveler’s passport numbers exposed in the breach.
“As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” a Marriott spokesman told MarketWatch. “If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”
The expenditures for Marriott will continue, as it will likely have to “invest very heavily in improved detection and response-based technologies, such as deception-based solutions, endpoint detection and response, software-defined segmentation, and behavior analytics,” predicts Nick Wyatt, head of tourism at GlobalData, a leading data and analytics company, to prevent such an event from happening again.
Marriott’s woes continue
The trouble for Marriott doesn’t end there. Some of the activity appeared to happen after Europe put into place General Data Protection Regulation (GDPR,) in May 2018, which boosted fines for violations of some types of data security.
In addition, a class-action lawsuit has been filed against Marriott. Murphy, Falcon & Murphy, with their co-counsel Morgan & Morgan, allege that the hotel chain "failed to ensure the integrity of its servers and to properly safeguard consumers' highly sensitive and confidential information." The suit does not disclose how much they are seeking in damages.
Bernstein Liebhard, LLP filed a securities class action lawsuit on Monday, and seeks to recover Marriott shareholders' investment losses.
On Friday, the New York attorney general’s office said it would open an investigation into the breach.
The latest incident has lawmakers calling for stricter laws for companies that do not adequately protect their customers’ personal data. “We must set clear customer data protection standards for all companies — whether they’re hotel chains, online retailers, or big tech — and severe penalties for those who fall short,” Sen. Richard Blumenthal, a Democrat from Connecticut, tweeted. Sen. Mark Warner of Virginia and Sen. Ed Markey of Massachusetts said Congress needs to set hard limits on how much customer data U.S. companies are allowed to store.
What to do if you suspect fraud
If you or your clients suspect they might be a victim of a data breach and fraud, here are some steps you can recommend:
1. Check your accounts for fraudulent activity. It seems obvious, but must people don’t thoroughly check their credit card bill.
2. Enroll in identity theft monitoring software to ensure your personal data is not being used. Marriott is offering guests a free year with WebWatcher, which alerts customers if their personal information is shared on internet sites.
3. To protect against someone opening new credit accounts in your name, issue a security freeze (also known as the credit freeze), to prevent new credit from being issued without your direct permission.
4. With passport numbers part of the personal information that was stolen by hackers, it may be a good idea to apply for a new one. With your passport number, name, and date of birth, anyone can apply for a new passport by reporting the existing one stolen and use it as a proof of identity to open a new bank account or access an existing one.
5. Keep in mind that once you report your passport as potentially compromised, it will immediately become invalid and cannot be used for international travel.
6. Regularly order free copies of your credit file from a service like annualcreditreport.com to make sure that no one is impacting your credit.