Marriott’s disclosure on Friday that an “unauthorized party” gained access to the information of up to 500 million Starwood customers is just the latest in a growing list of massive data breaches that can leave some people wondering, “What, if anything, can I do at this point?”
Marriott said that information exposed included all the usual personal information and then some: passwords, email addresses, departure and arrival dates from hotels — and even passport numbers.
“The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it," the company said in a statement, which stops short of confirming whether any of the information was removed.
After massive data thefts at Equifax, Yahoo and Target, consumers can be forgiven for “breach fatigue.” But experts say consumers can still take just a few simple steps to protect themselves.
Check your email for Marriott communications but watch out too
Starting Nov. 30, the hotel chain said it would start emailing guests who were affected and had given their email addresses. But people should also beware of phishing or spear phishing campaigns trying to take advantage of the situation and impersonating Marriott through fake emails.
Call the official Marriott helpline or visit websites by typing the website URL directly into a web browser instead of clicking links directly.
Freeze your credit
If users are worried that their information has been compromise, they should contact each of the credit bureaus and put a credit freeze on their accounts.
Credit freezes stop anyone from opening up a new line of credit using your name until you lift the freeze. Unless you're actively using your credit, like negotiating a mortgage or applying for credit card or car loans, you should do this to prevent ID theft. The cost for these used to run up to $20, but recent legislation has made them free as of September.
“If folks haven’t done that yet, they’re behind the eight-ball at this point,” said Jonathan Cran, head of research at cybersecurity firm Kenna Security.
Use a password manager and change your password
Passwords may have been part of the potentially stolen data, so Starwood members should change their password now.
If you used the same password at Starwood as you use elsewhere, now is a good time to change those passwords and start using a password manager like 1Password or LastPass to making changing them simpler.
Add two-factor authentication to all your accounts
Starting with your email and main social media accounts, you should add two-factor authentication to any account that offers it. This is an additional layer of security that texts or generates a temporary password on your smartphone with a program like Google Authenticator to make sure it’s really you logging into your account.
Monitor your bank and credit statements
Check your transaction statements and report suspicious charges to your bank. If you end up being a victim of fraud, also report it to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
Enroll in online monitoring
Starwood is also giving guests a free year's worth of WebWatcher, which promises to monitor online resale sites in case your personal info shows up on the black market. Cybersecurity experts were not familiar with the service but say it can't hurt.
But you might have to get in line — the registration website was largely unavailable on the day the breach was announced.
Don't freak out about the passport numbers
Marriott disclosed that a subset of customers also had their passport numbers exposed. That sounds scary, but according to the National Passport Help Desk, citizens don't have much directly to worry about as long as they still physically hold their passport.