Hotel chain Marriott announced Tuesday that hackers accessed an internal data system that contained the personal information of approximately 5.2 million guests, including names, contact details and addresses.
Marriott reports that at the end of February it found that an "unexpected amount" of guest information may have been accessed starting in mid-January. The data was accessed using the logins of two employees at a franchise property and included the following guest information:
The hotel chain stressed that while the investigation is ongoing, it had no reason to believe account passwords for Marriott's Bonvoy rewards program or financial information such as credit card numbers, passport information or driver's licenses were accessed, Marriott said in a notice of the breach.
Yet the breach could be problematic for consumers. "From what we know of the information exposed, this is the kind of data that provides good raw material for cybercrime," says Tyler Carbone, chief strategy officer at digital risk protection provider Terbium Labs.
Marriott sent an email Tuesday to affected customers from email@example.com and set up a dedicated website where customers can submit a request to check to see if their information was involved in the data breach.
For Marriott Bonvoy members who were affected, the hotel chain said it automatically disabled the accounts. The next time members log in, they'll need to change their password and will be prompted to enable multi-factor authentication.
This is not the first data breach involving Marriott. In November 2018, the names, addresses, contact information and passport numbers of over 300 million people who stayed at a Starwood hotel property were accessed in a major data hack. Marriott, which had just acquired Starwood, said at the time that the Starwood guest reservation database — which contains up to 500 million accounts — had been compromised, and the hacking may have been ongoing since 2014.
Here are a few steps experts recommend taking if you think you may have been affected by the latest Marriott data breach.
Currently, there's no indication that any of the accessed data has been misused, but Marriott said it will be offering free personal information monitoring services to those affected through IdentityWorks for one year.
U.S. residents can enroll through Experian's IdentityWorks website and use the activation code in the email notice Marriott sent. Those interested in enrolling have until June 30, 2020 to take advantage of the offer.
For questions, Marriott recommends U.S. residents contact the dedicated call center resource the hotel chain has set up at 1-800-598-9655.
You can also set up a free monitoring service through sites like Credit Karma, which will send you alert emails about any recent activity on your TransUnion or Equifax credit reports.
Although Marriott does not believe Marriott Bonvoy account passwords were accessed, it's a good idea to update your passwords associated with any Marriott accounts or bookings, as well as any bank or credit card accounts used to make reservations. You should always be changing your passwords regularly.
Almost half of Americans, 47%, use the same passwords over and over again, according to PCI Pal. This can cause problems in a data breach: Only one account may be compromised, but if you've used that same password in several places, you'll need to change all of them. Look into using a password manager such as LastPass or Dashlane. These programs will automatically generate unique, secure passwords for all your accounts and remember them for you.
It can't be stressed enough: The best response is to be vigilant. That includes when you're at work. Because your employer affiliation was also exposed in this Marriott data breach, Carbone expects to see an uptick in cyber attacks against the businesses whose employees' data were compromised.
"The biggest issue with breaches like this is actually for other companies," Carbone says. "This breach exposes a tremendous amount of personal data that is the raw material bad actors use to construct attacks. It also exposes employer information, which is basically a starting target list for those attacks."
If you're concerned about exposure, you may want to consider creating and using different email addresses for non-essential purposes, such as traveling or shopping, says Daniel Smith, head of security research at Radware. The same applies for the phone number you provide. "Isolating your primary information from unnecessary exposure is the key takeaway," he says.
In many data breaches, experts recommend that consumers put a freeze on their credit reports to stop anyone from taking out a credit card or loan in their name. Yet in the case of Marriott's latest data breach, no financial information was accessed. That said, a data breach can still be damaging if you have multiple pieces of information leaked, so it may be worth considering putting one in place if you're worried about identity theft.
If you want to freeze your credit reports and haven't already done so during a previous data breach, you need to contact the three major credit bureaus, Equifax, Experian and TransUnion, separately. Keep in mind that you will need to unfreeze your credit if you apply for any credit products in the future, such as a personal loan, credit card or mortgage.
While a credit freeze will stop anyone from taking out a credit card or loan in your name, it's not a silver bullet against identity theft. A credit freeze doesn't do much for identity theft that is not related to opening up a credit account, including medical identity theft and scams in which criminals set up new bank accounts.
"While it doesn't protect you from all forms of identity theft, it does stop someone from opening new accounts in your name," says Eva Velasquez, president and CEO of Identity Theft Resource Center. "A credit freeze is a best practice for all consumers, not just those affected by a particular data breach."
To protect your data year-round, experts recommend that consumers practice common safeguards, such as avoiding clicking on links or opening attachments in emails, especially when they don't know the sender.
Emails are a particularly common way for fraudsters to gain access to your credit card information or identity. Hackers send what's called a phishing email. "Email is the No. 1 way cybercrime of all forms happens. If a bad guy can get you to click on a link in an email, he can do all manner of bad things to your online life," says Dave Baggett, co-founder and CEO of anti-phishing startup Inky.
Consumers should use two-factor authentication to log into their accounts, which generally requires users to not only enter a password, but also confirm their identity by logging onto their phone or entering a code texted or emailed to them.
If you do experience identity theft, you can set up an extended fraud alert on your credit file. When you take this step, you can get two free credit reports a year and the credit bureaus must take your name off marketing lists for prescreened credit offers for five years. The extended alert lasts for seven years.