By now, I’m sure most of you will have heard about The Starwood Hotels and Resorts data breach that resulted in the exposure of an astonishing 500 million hotel guests’ data. Everyone is waiting with bated breath to see whether this breach will lead to the world’s first significant GDPR fines.
What Happened?
In a statement filed with US regulators on the 30th November 2018, the hotels and resort giant revealed that breach could affect records going back all the way to 2014. Approximately 327 million records were affected, with details including names, phone numbers, dates of birth, genders, passport numbers and more.
Marriott claims that they responded quickly upon discovering this data breach, however some analysists have suggested that they missed a chance to detect this earlier. In 2015, Starwood reported a smaller data breach where attackers had installed malware on POS systems in numerous hotel restaurants and gift shops to steal payment card information.
Marriott claims that the attack in 2015 is not at all related to the recent, much larger, data breach. However, many security specialists have suggested that a more thorough investigation at the time may have uncovered the attackers, which were able to hide in the system with access to the critical data for the next three years.
One point of interest is that the breach was disclosed just four days after Marriott announced a deal to acquire Starwood, which made the organization the biggest global hotel company (a deal valued around $13.6 billion). This could be a reason why Marriott perhaps wanted to sweep the smaller breach under the rug as quickly as possible as opposed to conducting a full thorough investigation.
Affected by the Marriott Breach? How Can You Protect Yourself?
If you’ve stayed at a Starwood hotel in the last few years, it’s highly likely that your data has been affected by this breach. Marriott has stated that it will begin to email those affected so the first thing to do would be to watch out for an email from Marriott in your inbox.
Check for Suspicious Emails
Even though you may well receive a genuine email from Marriott regarding the breach, you should be hyper-aware of any opportunist phishing attacks that are trying to take advantage of the situation. If you’re unsure whether an email is legitimate, contact Marriott directly.
Update Your Password
If you have an account, you should change your password immediately. Make sure to use something that is not easy to guess, such as a combination of three or four unrelated words intertwined with numbers and special characters. If you have a tendency to use the same password for multiple things (such as social media, email and online banking), you will need to go through and create new ones.
Monitor Your Accounts
We recommend that you keep a close watch of your Starwood Preferred Guest account and also your bank accounts and statements to make sure there is nothing suspicious. Some sites have even gone as far to suggest that you should put a freeze on your credit. If you’re really concerned that your data has been involved in this breach then this is a legitimate step to take.
Be Vigilant About What You Share
With every product/service you use you should be completely aware of the information you are willing to provide companies. You might find that a lot of the information that you may normally offer up voluntarily is not actually required. If you’re worried about providing passport information, for example, you may be able to request that other forms of identification be used instead.
However, according to the National Passport Helpdesk, you don’t have to worry too much about passport details being involved in the breach as long as you still hold the physical passport.
A Warning for US Companies – GDPR Could Still Apply!
You might have assumed that, because the Marriott is headquartered in the US, they aren’t subject to GDPR. However, as the breach involved the personal data of EU citizens, they could face fines of up to 4% of its annual global revenue (which could be getting on towards $1 billion).
If you want to find out how your organization can avoid what happened to the Marriott, come and have a look at our data-centric audit and protection solution and see how it helps you meet GDPR compliance more easily.