Marriott Has Been Hacked...Again

Hotel giant Marriott announced on Tuesday [4/31/2020] via an incident notification on their website that they had been the victim of a data breach; impacting over 5.2 million customers. This is the second major cybersecurity incident to be disclosed by Marriott in the past 16 months, with the previous one impacting over 500 million customers as far back as 2014.

“What is a data breach?”

A data breach is when information is exposed to someone who should not be able to see it. While most data breaches that you hear about in the news are related to passwords or credit card information being stolen from a company by a hacker, a data breach could also include your personal information, health information, or proprietary information from your organization. These are all things that shouldn't fall into the wrong hands.

“Ok, but what does it mean for me?”

Data breaches can be tricky because you have to understand what has been taken, and how you can protect yourself from that information being used inappropriately. For example, if the news reported that passwords had been stolen from a website, you would change your password for that website. Or, if your credit card number gets stolen, you usually report it to your credit card company and receive a new one.

“What happened this time?”

We won’t dive into how the data breaches happened here, but we will break down what sensitive information has been reported as being stolen.  While other information may have been stolen as part of the breach (you can see the full list here), we’ll only be discussing the main information types you need to act on to protect yourself. For Marriott, these included:

• Name

• Gender

• Birthday day and month

• Mailing address

• Email address

• Phone Number

• Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)

Marriott has stated that they don’t believe that passwords were stolen as part of the data breach, however they are forcing you to reset your password for your Marriott Bonvoy accounts out of an abundance of caution.  As a note, you should change your password for any other account where you may have used this same password. If you’re using a password manager like we’ve discussed before, you shouldn’t have a problem!

“So what do I do?”

The key after a data breach is to focus on the sensitive information that was stolen, and what actions that you can take to mitigate the effects.  We’ve outlined the most important ones, and what you should do right now, below:

Name/ Birthday/ Gender

Unfortunately, there’s not a lot you can do to protect your name, gender, or birthday, if it has been stolen in a data breach. Buying services like identity theft monitoring can help, but the best way is by freezing your credit. Check out our easy to follow guide for more information.

Mailing Address

Unfortunately your address isn’t virtual and you can’t just “reset it.”  So what can you do? Most likely no one is going to come visit you, but they may try to use your address to apply for a new credit card.  Freezing your credit is the best way to stop this from happening.

Email

Your email has likely become an extension of your name at this point, so how do you protect it? Unlike your name you have a few options. Changing it doesn’t make sense since you’ll have to update your family, friends, and websites with your new address. Instead, make sure you stay alert for phishing emails (emails that try to trick you into doing something bad) since your email has probably been added to a spam list and you’ll be receiving more junk email soon.

Phone Number

When your phone number is stolen, it usually gets added to a call list for scam calls. These could be fake calls from “the IRS”, “the Chinese Consulate”, “your boss”, or someone with “a great vacation offer.”  While the government and telephone companies are trying to figure out how to reduce the number of calls coming through (including the fake calls that come from your own number!), it’s best to not answer any call from a number you don’t know. If you do answer, be skeptical, and ask to call them back on a number that you can search for online (like the “Contact Us” number for a company).

Partnerships and Affiliations

While any partnership numbers Marriott may have collected from you, like an airline loyalty program number, didn’t have any passwords attached to the, hackers may still attempt to break into those accounts.  They do this by leveraging information like your name, birthday, address, and the account number (all stolen here!) to call the airline and say they “forgot” their login information. From there, they can transfer miles, book flights, or cash out your points.  Keep an eye on these accounts for fraudulent activity, and notify your airline right away if you see anything suspicious.

Finally, if you’re worried about staying on top of the latest data breaches, make sure to subscribe to the ACT Digest, where we’ll send you an email every two weeks to tell you about what’s going on in the cybersecurity world, and how you can protect yourself, your friends, your family, and your organization.

Follow us - stay ahead.

Read more of the ACT