Marriott International revealed on Friday the personal information of at least 500 million guests may have been exposed by a data breach at its Starwood hotels brand, which it acquired two years ago.
That includes the name, mailing address, phone number, email address, passport number, birthday, gender, arrival and departure dates, Starwood preferred guest account information and communication preferences of at least 327 million guests, Marriott said in a news release. For some guests, the information could also include credit card numbers and expiration dates.The data breach marks one of the biggest and worst in history, surpassed only by Yahoo, which a 2013 hack affected 3 billion accounts.
If you’re one of the unlucky people affected by the breach, here are some tips in securing your personal information and warding against potential identity or credit card theft.
“You have to be careful, the initial attack we don’t know it was financially motivated, but it’s a fairly sophisticated attack,” Paige Boshell, a managing member of Privacy Counsel LLC, said. “You have to be concerned about the motives of the initial attack, but also, you see a lot of this information sold and repurposed.”
Boshell said customers, first and foremost, need to look at the type of information that may have been stolen. In the case of Marriott, there were three different types: Financial (credit card numbers); identification (passport, date of birth); and personal preferences (she described it as the “ick factor” -- things like travel dates and hotel room preferences).
Customers should contact their banks and alert them to the potential credit card number theft, cancel that card and order a new one, Boshell said. She also suggested that people get a copy of their credit report -- which is free every year -- and check for any fraud.
“We are seeing increasingly in the past couple of years that attackers will sit on information for a while before using it,” she said. “You have to continue to be mindful. And even if you change numbers, keep an eye on older numbers, because attackers or fraudsters can use closed or expired credit card numbers.”
It’s a little trickier to change identification information that may have been breached, like the passport. Although it might be difficult for a hacker to do anything with the passport number without the physical passport, Boshell said people should consider whether they want to contact the State Department and get a new one. To do so, they would have to go in person -- but if you’re a frequent traveler, the hassle could be worth it.
As far as personal hotel and contact preferences, she advised that people be extra cautious going forward about potential phishing schemes.
“If you’re a heavy traveler and there are partners they can detect using that information, maybe just be mindful going forward of emails and texts that you might get, that might seem to know more about you or might seem in tune with your travel activities and so on,” she said.