Another breach of sensitive data which potentially affects the accounts of up to 5.2 million customers of Marriott International, Incorporated has occurred; and at this point, members of the team at the lodging company believe that the following information of the aforementioned customers may have been involved — although not all of this information was present for every guest involved:
- Contact Details — for example, name, mailing address, e-mail address, and telephone number
- Loyalty Account Information — for example, account number and points balance; but not passwords
- Additional Personal Details — for example, company, gender, and birthday day and month
- Partnerships and Affiliations — for example, linked airline loyalty programs, and numbers
- Preferences — for example, stay preferences, room preferences, and language preference
Was Your Marriott Account Compromised in the Latest Data Breach? What You Can Do
Greater than 7,300 hotel and resort properties which are operated and franchised under the portfolio of 30 brands of Marriott International, Incorporated in 134 countries and territories use an application to help provide services to guests at hotel and resort properties. According to this article at Marriott International News Center, at the end of February 2020, the lodging company “identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.”
Although the investigation by Marriott International, Incorporated is currently ongoing, members of the team at the lodging company currently have no reason to believe that the information involved included membership account passwords or personal identification numbers of the Marriott Bonvoy frequent guest loyalty program, payment card information, passport information, national identifications, or the numbers of driver’s licenses.
A notice was sent out to customers who may have been affected by the incident in question which involved a property system. The notice — which was sent out via e-mail messages starting on Tuesday, March 31, 2020 — “explains what occurred, the information involved, the measures taken by Marriott to investigate and address the issue, how Marriott is assisting guests, and steps guests may consider taking.”
Marriott International, Incorporated has also set up a dedicated Internet web site and call center resources with additional information for customers. The call center resources can be reached by calling the numbers listed on the dedicated website. The email sent to guests and the website also contain a list of steps guests involved can consider taking and information about enrolling in a personal information monitoring service that Marriott is providing.
Marriott carries insurance — including cyber insurance — commensurate with its size and the nature of its operations; and the lodging company is working with its insurers to assess coverage. Members of the team at the lodging company do not currently believe that its total costs related to this incident will be significant.
Not the First Time Sensitive Data Has Been Breached
Marriott International, Incorporated received an alert on Saturday, September 8, 2018 from an internal security tool regarding an attempt to access the Starwood Hotels and Resorts reservation database of customers in the United States. Marriott quickly engaged leading security experts to help determine what occurred and learned during the investigation that there had been unauthorized access to the Starwood Hotels and Resorts network since 2014. The lodging company discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.
On Monday, November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the guest reservation database of Starwood Hotels and Resorts.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
What to Do if You Were Affected by the Latest Data Breach
…and if so, you will be given the option to enroll in a personal information monitoring service provided by Experian — which also provides data and information services worldwide — known as IdentityWorks free of charge for one year. This optional service allows you to identify information which you would like to be monitored; and you decide as to how much information should be included in the monitoring process. Any information which you provide to Experian will only be used by Experian for the sole purpose of the complimentary IdentityWorks monitoring service.
- Visit the Experian IdentityWorks Internet web site to enroll by Tuesday, June 30, 2020, as your activation code will not work after this date:
- United States residents: https://www.experianidworks.com/identity
- Residents outside of the United States: http://www.globalidworks.com/identity1
- Provide your activation code, which is to be provided in the notice via e-mail message from marriott@email-marriott.com or self-service portal communication
More Information on Steps You Can Take
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission or the office of the attorney general in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records.
Contact information for the Federal Trade Commission is as follows:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-IDTHEFT or 1-877-438-4338
www.ftc.gov/idtheft
Always be vigilant for incidents of fraud or identity theft by reviewing your membership account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report — free of charge — once every 12 months from each of the three nationwide credit reporting companies if you reside in the United States. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228.
Contact information for the three nationwide credit reporting companies is as follows:
- Equifax PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
- Experian PO Box 2002, Allen, TX 75013, www.experian.com, 1-888-397-3742
- TransUnion PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-916-8800
Regardless of where you reside, below are some additional steps you can take.
- Monitor your Marriott Bonvoy membership account for any suspicious activity.
- Change your password regularly. Do not use easily guessed passwords. Do not use the same passwords for multiple accounts.
- Review your payment card account statements for unauthorized activity and immediately report unauthorized activity to the bank that issued your card.
- Be vigilant against third parties attempting to gather information by deception — which is commonly known as “phishing” — including through links to fake Internet web sites. Marriott will not ask you to provide your password by telephone or e-mail message.
- If you believe you are the victim of identity theft or your personal data has been misused, you should immediately contact local law enforcement.
- Please refer to the bottom of this article for detailed information pertaining to fraud alerts and credit freezes.
Summary
Companies need to be increasingly more vigilant about protecting the sensitive data of their customers. Ironically, creating difficult hurdles for members of frequent travel loyalty programs to recover expired points seems to be significantly more important than pooling more resources and implementing more effective procedures in protecting the sensitive data of their customers.
Between the incidents involving Delta Air Lines, Hyatt Corporation, Hilton, Kimpton Hotels and Restaurants, British Airways, Facebook, Equifax, and other various companies in recent years, protecting your sensitive information has become almost impossible to do…
…and yet, few measures are in place to rectify the potentially disastrous results which could possibly occur from these data breaches — as though few corporations and government entities are unconcerned about confronting the seriousness of such breaches and attacks.
I am uncertain at this time as to what is the answer — but this trend simply cannot continue unchecked where customers are basically left out in the cold, in my opinion. Class-action lawsuits — through which attorneys line their pockets with plenty of cash and throw the poor consumer a virtually worthless coupon — are not the answer. Corporations simply need to be held significantly more accountable for the actions — or inactions — so that they have an incentive to better protect the sensitive information and data of their customers in the future…
All photographs ©2014, ©2015, ©2016, and ©2017 by Brian Cohen.