For the second time in less than two years, Marriott International announced that it experienced a data breach involving millions of guests. Learn about the types of data that was stolen and the measures the victims can take to protect themselves.
For the second time in less than two years, Marriott International announced that it experienced a data breach involving millions of customers. On March 31, 2020, the hotel giant revealed that cybercriminals stole the personal data of up to 5.2 million guests. Some people likely had a feeling of de ja vu when they heard this news. Just 16 months earlier, Marriott had announced that 500 million customers had their data compromised due to a breach.
If you stayed at a Marriott Hotel during a business or leisure trip recently, here’s what you need to know about the 2020 data breach.
What Was Stolen
Although the investigation has just started, Marriott officials think the data breach began in mid-January 2020 and lasted until its discovery at the end of February. The cybercriminals likely gained access to company systems using the login credentials of two employees at a franchised hotel. The credentials were for a business app. Hotels franchised and operated under Marriott’s brands (e.g., Courtyard, Fairfield Inn, Ritz-Carlton, Sheraton, Westin) use this app to help provide services to their customers.
Marriott officials do not believe any payment card details, passport information, driver license numbers, national IDs, or Marriott Bonvoy account passwords were stolen. (Marriott Bonvoy is the name of the company’s loyalty program.) However, other types of personal data were breached, including:
What Marriott Is Doing in Response to the Data Breach
After Marriott discovered the data breach, it started an investigation, reported the incident to the appropriate authorities, and sent notification emails to customers whose data was involved in the breach. The company also set up a self-service web portal that guests can use to find out whether their data was breached, and if so, the types of information that was stolen.
Customers who had their data stolen can enroll in Experian’s IdentityWorks service free of charge for one year if desired. Besides looking for victims’ personal information on the dark web, IdentityWorks provides identity theft insurance and an identity restoration service if a person’s identity is stolen.
Information on how to sign up for IdentityWorks is provided on Marriott’s data breach support website. In addition, the site provides answers to frequently asked questions about the breach and the phone numbers for dedicated call-center resources in case customers have other questions they need answered.
The support site also highlights another action that Marriott took in response to the data breach. Even though Marriott Bonvoy account passwords were not part of the breach, the company disabled the passwords of Marriott Bonvoy members who had their data stolen. This was done to help protect those members in case they created weak passwords. Since the cybercriminals have the members’ loyalty program account numbers and email addresses, they could use a brute-force password-cracking tool to crack weak account passwords.
Marriott Bonvoy members who had their data stolen will be prompted to change their passwords when they log in to their accounts. In addition, they will be encouraged to enable multifactor authentication (aka two-step verification).
How to Protect Yourself
As an individual, there is little you can do to stop cybercriminals from hacking into companies’ databases and stealing your personal information. However, you can take measures to minimize the damage if you become a data breach victim. In the case of the Marriott data breach, it is a good idea to take some or all of the following precautions to protect yourself:
Watch out for phishing emails and calls supposedly from Marriott. Scammers like to use current events (e.g., data breaches, natural disasters) to con people into providing personal information. Marriott states that, “You should not provide any information — especially payment card information, other financial account information, online account information, or passwords — to anyone who calls or otherwise contacts you purporting to be from Marriott or a Marriott brand hotel. Marriott will never call or email you to ask you to provide this information by phone or email.”