Update: January 14, 2019—Marriott has revised the number of guests it believes were impacted by the November 2018 breach from approximately 500 million to 383 million, including 5.25 million guests whose unencrypted passport numbers were stolen. A class action lawsuit has been filed by more than 150 former Marriott guests in Maryland’s federal district court.
On September 8, 2018, Marriott received an alert about an attempt to access their Starwood guest reservation database and launched an investigation. On November 19, 2018, they were able to decrypt the information, revealing the full details of the security breach. In doing so, Marriott discovered that hackers had gained unauthorized access to the system back in 2014 and had gone undetected ever since.
So what does this mean for your executive?
Anyone who made a reservation through the Starwood guest reservation system on or before September 10, 2018 could be affected by the breach. This includes reservations made at a wide range of hotel chains associated with Starwood Hotels and Resorts, including:
According to Marriott, approximately 500 million guests’ information was stolen. While the exact combination of information taken from each person in unclear, the types of personal information that were stolen are vast and of a very serious nature.
Information exposed through the breach includes:
While Marriott can assure guests that the credit card information was encrypted in their system, they cannot guarantee that the keys to decrypt that information were not also stolen in the breach.
With any combination of the pieces of personal information listed above, a hacker (or those to whom they might sell the information) could easily make your executive a victim of identity theft, make false purchases on their credit cards, negatively affect their credit score, or at the very least have far too much information about their communication and whereabouts.
Understandably, if your executive was affected, this is a situation that needs to be dealt with swiftly.
If your executive was affected by the breach, and their email was stored in the Starwood database, they should have received an email from Marriott on or after November 30, 2018. This email would have come from an email-marriott.com domain, to inform them of the breach and its impact on them.
Be on the lookout for email scams, though. Often hackers will use emails with similar domains to trick unsuspecting victims into giving away more personal information. For example, a domain of email-mariott.com or email-marriot.com could be used, and the majority of recipients would not notice the spelling error.
For this reason, Marriott has warned customers that legitimate emails from the brand will not ask for personal information. You should never—and you should remind your executive to never—give out confidential information to a source you do not trust completely.
If you haven’t received an email, you’ll still want to be thorough and double check that your executive wasn’t affected. Marriott has a dedicated website with information about the breach and their response to it, which you can visit for more information. They also have call centers for every country they operate in. The United States call center number is 877-273-9481, and is taking calls from 9 AM to 9 PM EST, every day.
Marriott has also offered those affected with one year of free WebWatcher service, which monitors websites where personal information is shared and notifies you if any of your information appears. For those in the United States, the service also includes fraud consultation services and reimbursement coverage.
You can also visit IdentityTheft.gov and the FBI’s Internet Crime Complaint Center to notify the appropriate government agencies and help further protect your executive.
If you know or are concerned that your executive’s information was stolen through the breach, there are several steps you can take moving forward to reduce or eliminate adverse effects resulting from the incident.
What to do if information has been stolen (as advised by the Federal Trade Commission):
Your executive may or may not want you to handle such sensitive tasks on their behalf, but at the very least, you can help educate them on these critical next steps.
There are also security measures you should be putting into place—whether or not your executive was affected this time. By taking extra precautions ahead of time, you can help prevent information exposure issues from arising in the future.
Steps to take before information has been stolen:
If your executive’s information was stolen, the fault does not lie with you. It was Starwood’s guest reservation database that was hacked—not your personal computer. There is a limit to what you can do to protect your executive and their information, and you cannot necessarily stop every potential problem.
You can, however, reduce the risk of your executive’s information being compromised, and it is your duty to do your due diligence in this area. While the breach may not have been your fault this time, you should take the necessary steps to make sure that it is not your fault next time, either.
Use companies that you trust, and be selective when giving out information. That alone will go a long way in keeping your executive’s information secure.