Today Marriott announced the company’s Starwood reservations database had been breached and the personal information of 500 million guests stolen. The Washington Post reports that Marriott first learned that an unauthorized party had access to its systems on Sept. 8, but because the hackers encrypted the stolen data the company was unable to determine the nature of the breach until Nov. 19.
The hospitality industry is not known for its stellar security. For that reason a breach of this nature is not all that surprising — it’s more interesting that the breach was discovered than the breach itself.
What makes this breach stand apart from the other big breaches over the the last few years is the data that was taken. Hotels collect more PII data than most enterprise organizations (birthdays, passport numbers, email and mailing addresses, and phone numbers). Given the number of services and systems that use passport numbers to verify identity, the risk of identify fraud for the 500 million people affected is nearly unprecedented.
The last breach of this size that included passport data was the U.S. Office of Personnel Management (OPM) breach of 2015. When you’re up in the hundreds of millions of records the impact is great and lasting. However, this risk all depends on who stole the data. If it was a nation state, the breach may be more of a reconnaissance mission, which brings an entirely new set of concerns.
This breach was also unique given the demographics of those impacted — many if not most hotel reward members likely signed up before password managers, making the likelihood of password collisions high. Credit monitoring is key in this case, but so too is understanding where these credentials might also show up. Implementing a password manager such as 1Password, Keeper Security or LastPass for ALL accounts — no matter how old.
A couple of things you can do to protect yourself:
- Sign up for credit monitoring. Starwood is offering free WebWatcher for a year for dark web monitoring. Another great option is LifeLock.
- Have a think about password reuse if you’ve stayed with Marriott/SPG before… Is it *that* password? You know, the one you created in high school that’s really easy for you to remember, but also know you probably shouldn’t reuse everywhere? If it is, breaches like this mean the bad guys probably have it, and this breach means they *definitely* have it.
- Activate Two-factor authentication (2FA) where ever you can, especially on your personal email and social media accounts (i.e. the ones which, if accessed, can be used to reset all your other passwords and gain access to your accounts).
- Use a password manager (Bugcrowd works with 1Password, LastPass, and Keeper Security) and minimize password reuse on important services. All of these tools now have password re-use detection tools… Take advantage of these and give your internet identity a bit of a “Fall cleaning” over the weekend.
If we’re lucky with the Marriott/SPG the database will never hit the street to be used by cyber attackers… But I wouldn’t count on this. Use this event as an opportunity to review your personal security posture.