Protect Yourself in the Wake of the Marriott Data Breach
December 11, 2018
Editorial Disclaimer: Information in these articles is brought to you by CreditSoup. Banks, issuers, and credit card companies mentioned in the articles do not endorse or guarantee, and are not responsible for, the contents of the articles.
In just the first half of 2018, an estimated 4.5 billion data records were compromised due to database breaches at major companies around the world, including no less than six major social media networks and a host of big companies like Jared Jewelers and Quora. And those are just the breaches that have been discovered.
The scary fact is that some data breaches can remain hidden for years — and go unreported for even longer. Which means your data can be on the open market and changing hands well before you know it’s been compromised.
Take the recent Marriott/Starwood data breach. Reports indicate hackers accessed the Starwood hospitality group’s customer database in 2014, and the thieves went unnoticed for four years before the company — now owned by Marriott — discovered the breach. Over that time, as many as 500 million customers who stayed at a Starwood property through September 10, 2018, may have had their data stolen.
What Type of Information Was Stolen & Who is at Risk?
At this point in our society, the number and regularity of data breaches mean it’s safe to assume most of us have been the victim of some type of data theft. But, no matter how common data theft may be these days, the associated risks are not to be taken lightly. This is especially true of any databases that contain personally identifiable or financial information such as Social Security numbers or bank account information.
In many cases, a brief database breach that is quickly found does limited damage. Many major companies have robust security systems and multiple levels of data encryption that can help protect your data even after it’s stolen.
Unfortunately, the Marriott/Starwood breach was neither brief nor quickly discovered. As a result, the sheer length of time hackers had inside the Starwood system means that not only was a significant amount of information stolen, but the hacker was in a position to obtain much of that data before it was encrypted.
In its press release, Marriott reported that data on approximately 327 million guests was copied and that the stolen data included “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
Some users’ payment information, including card numbers and expiration dates, was also included in the stolen data. While Marriott emphasizes that the payment data was encrypted with Advanced Encryption Standard encryption (AES-128), the company could not rule out that the hackers also took the necessary decryption components.
Marriott reported that the remaining 173 million customers saw less data theft, with stolen information thought to be “limited to name and sometimes other data such as mailing address, email address, or other information.”
Marriott is Offering Free Identity Monitoring to Affected Consumers
In an effort to stem some of the inevitable flow of poor press and panicked customers, Marriott established a dedicated website for information on the breach and a call center for consumers with questions about their data. The company also began sending out emails to affected customers, which are rolling out in batches.
As has become common these days, Marriott is also following the go-to response for a data breach: free identity monitoring. Marriott has partnered with Kroll, a cybersecurity firm, to offer WebWatcher Monitoring Service free of charge for one year to affected guests.
According to the press release, “WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.”
While the product isn’t available in all countries, customers from the U.S. are eligible for the free year of service. American guests will also be eligible for free fraud consultation services and reimbursement coverage, provided they have activated WebWatcher.
Using a Credit Card with $0 Fraud Liability Can Limit Your Risk
Of all the information that was stolen during the Marriott breach, most alarming to many people is likely the financial information, especially since identity monitoring services can’t stop fraudsters from using your credit cards to go on a shopping spree.
Before you rush to cancel your cards, however, keep in mind that your liability for fraudulent credit card purchases is limited, by law, to $50. Furthermore, most major credit card issuers offer $0 Fraud Liability policies that mean you have absolutely zero obligation to pay for unauthorized charges made with your stolen credit card information.
Of course, that doesn’t eliminate the hassle that can be involved in spotting, disputing, and dealing with credit card fraud. However, in today’s world, where major data breaches seem to occur every other month, it’s hard to eliminate the chance of fraud entirely — without forgoing making purchases with your credit cards, at any rate.
If you’re truly worried about your credit card data falling into the wrong hands, virtual credit cards may be the solution. Provided by a handful of issuers, virtual credit cards are limited-use credit card numbers that allow you to make credit card purchases without revealing your real, permanent credit card data.
Other ways to help protect your payment data include various third-party services like mobile wallets, which allow you to make payments without providing your specific financial data to the merchants. Keep in mind, however, that your data is only as secure as the database of the mobile wallet provider.
Other Smart Digital Safety Behaviors to Practice
Regardless of whether you choose to mask your payment data with a virtual credit card or third-party service, everyone should practice at least basic digital security behaviors to help protect their personal data.
This starts with ensuring you use unique username and password combinations with every website you visit. Although it’s certainly easier to use the same login credentials for everything, this leaves your online accounts wide open to fraudsters.
Consider this: Starwood Preferred Guest (SPG) login data was taken along with everything else during the Marriott/Starwood breach. If you use the same username and password combo for any other account, the thieves now have free reign in both accounts.
In addition to varying your credentials, it’s important to always be wary when asked to input those credentials (or any other personal information). Make sure the domain in the address bar matches the domain you intended to visit and avoid using any links that may be suspect, particularly those in emails.
If entering financial information or any other sensitive data, be sure the site is trustworthy and secure, including checking for the “https” at the front of the URL and ensuring that the “lock” icon is visible in your browser. If anything looks suspicious, don’t put in your data.
In the event you suspect you have been a victim of identity theft, you can head to the government’s IdentityTheft.gov to report the theft and start recovering your identity. Even if your stolen information has not yet been used, the website can help you determine the proper next steps to help protect your information from future fraud.