The names, addresses, contact information and passport numbers of over 300 million people who stayed at a Starwoods hotel property may have been accessed in a major data hack, Marriott hotels reported Friday. Marriott's data team confirmed that the Starwood guest reservation database — which contains up to 500 million accounts — had been compromised, and the hacking may have been ongoing since 2014.
Unfortunately, there may not be a lot individuals can do to completely protect themselves in response. Even a credit freeze may not a comprehensive solution.
"A credit freeze doesn't do much for identity theft. A credit freeze is not going to stop the bigger problems, " cyber-security expert Joseph Steinberg tells CNBC Make It. "Everybody comes with the assumption that there's something to do and the reality is, sometimes, there isn't anything a consumer needs to do."
The best choice is to be vigilant, Steinberg says. If you receive notification from Marriott that your information was affected, sign up for the WebWatcher service the hotel chain is offering for free. Unlike a simple credit monitoring system, WebWatcher analyzes websites where personal information is shared and alerts consumers.
The biggest threat is not that a criminal could open a credit card in your name and make fraudulent transactions; that would get fixed quickly since credit card companies know about the problem, he says. "If someone picked up a driver's license in your name, that's a lot more of a serious problem for you," Steinberg says.
A criminal could also use the information to embark on medical identity theft, says Rebecca Herold, CEO of cyber consulting group Privacy Professor, and a credit freeze won't prevent that, either. "People need to understand that [a credit freeze] is very limited in scope to what it will prevent in a breach such as this," she says.
Freezes are best implemented when financial information has been compromised, independent computer security analyst Graham Cluley tells CNBC Make It, and that does not seem to be the case with Marriott.
"At the moment there's no indication that payment details have been compromised by scammers, and I would imagine that on a breach of this scale that Marriott would work with the banks to proactively block cards if they believe that they are likely to be," Cluley says.
It's a tricky situation, Cluley says. After all, you're unlikely to change your name, your address, your phone number or your passport number. "Many people, I suspect, won't even change what hotel they book for their vacations — after all, this is the world's biggest hotel chain, and there are many other hotels that have been hacked in the past," he says.
Ultimately, Cluley says, "the best individuals can do is keep an eye open for scammers contacting them." That includes fake emails or phone calls from criminals posing as Marriott/Starwood and perhaps offering compensation. "This is a standard trick used by scammers to steal banking details after a big data breach," he says.
Not everyone concurs that it won't help to freeze your credit: CreditCards.com industry analyst Ted Rossman argues that the Marriott hack is the perfect example of how a credit freeze can protect you. "It's free, easy and effective," he tells CNBC Make It.
"The biggest threat here is a criminal using the stolen info (name, address, date of birth, etc.) to spin up a fake profile and create new accounts in your name," Rossman says. New account fraud is a big mess to unwind, he adds, and a credit freeze could help keep you safe.
If you want to freeze your credit reports and haven't already done so, you need to contact the three major credit bureaus, Equifax, Experian and TransUnion, separately. Keep in mind that you will need to unlock your credit if you're applying for any credit products in the future, like a credit card or mortgage.
Whether or not you decide to freeze your credit, all of the experts recommend you periodically check your credit report and stay vigilant, watching for signs your identity has been stolen.
Like this story? Subscribe to CNBC Make It on YouTube!