On March 31st, Marriott International notified more than 5 million guests that their personal information was compromised due to a vulnerability in the company’s app. According to the Marriott, information was accessed from mid-January through the end of February through two employees’ login credentials (passwords!), both of which were disabled upon discovery of the incident.
What this means for Marriott customers
What we know thus far is that the following information was compromised:
- Phone numbers
- Mailing addresses
- Loyalty account information
- Personal details
- Linked loyalty programs
- Room preferences
Marriott is still investigating, but does not believe Marriott Bonvoy passwords, credit card information, passport information, or driver’s license numbers were accessed. That said, if you have a Bonvoy password, it’s worth taking a minute to change it.
If you’re a Dashlane user signed up for Dark Web Monitoring, you’ll receive a security alert to notify you if your password needs to be changed, and you can update your password easily by using our Password Generator. Premium Plus customers can use our identity protection services, which cover credit monitoring and alerts, identity restoration support, and Identity Theft Insurance.
For those whose information was compromised, there unfortunately isn’t much additional action to take, other than to stay tuned for more updates from the company. Marriott has set up a portal for guests to get more information. This portal can be accessed through https://mysupport.marriott.com/.
During previous corporate data breaches such as Equifax’s in 2017, numerous malicious actors created fake support and settlement websites to trick customers into giving away even more personal information. It’s important to only enter personal information into websites you recognize and trust.
What this means for businesses
Corporate security protocols and tools are only effective if your employees put them into practice. Nearly 75% of all corporate data breaches are the result of employees reusing passwords on personal and professional accounts, so it’s far more likely this breach is a byproduct of poor password hygiene than rogue employees. However, honest mistake or not, the consequences for businesses such as Marriott remain the same.
If this all sounds familiar, it’s because Marriott is less than a year removed from a more than $120M GDPR fine for a previous data breach, in which 500 million guests’ personal information was accessed over 3+ years (you can read more about that breach below). Depending on the location of customers affected by this breach, local regulators may hand out additional fines.
Customers are also taking note of what businesses they can trust. In a 2018 IBM study, 75% of global respondents said they would not buy from a company if they didn’t trust the company’s ability to protect their data.
With corporate security tools such as password managers and single sign-on, companies dramatically reduce their risk of similar scenarios. Instead of implementing a company-wide password management strategy, Marriott is likely facing millions of dollars’ worth of regulatory and reputational costs.
For non-Dashlane users, we’re waiving the first 3 months of Dashlane Premium for those who need Dashlane’s password manager and password sharing.
We’re also currently offering businesses a 3-month, no-cost trial of Dashlane Business for an unlimited number of employees.
Looking for more info?
Visit our online safety hub for the latest breach report and a complete guide to staying secure on the internet.
November 2018 Breach
Marriott International, who recently bought Starwood to become the largest hotel chain in the world, announced earlier today that up to 500 million guests had their data exposed via a breach of Starwood’s guest reservation database.
Marriott began an investigation after receiving an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. During the investigation, they learned that there had been unauthorized access to the Starwood network since 2014, and that an unauthorized party had copied and encrypted information and had taken steps to remove it.
- Mailing addresses
- Phone numbers
- Email addresses
- Passport numbers
- Starwood Preferred Guest (SPG) account information
- Dates of birth
- Arrival and departure information
- Reservation dates
- Communication preferences
Payment card numbers and payment card expiration dates were also copied, though this information was encrypted using Advanced Encryption Standard encryption (AES-128). However, it is possible that the information needed to decrypt the cards was also taken in the breach. Marriott is still looking into this.
What can I do now to stay safe?
Marriott has already begun contacting affected users, and they’ve provided this website as a place to learn more about the incident and what services Marriott will provide to the affected.
Our recommendations include:
- Update your password and any similar passwords on other accounts. This should be common practice any time a service you use reveals a hack or breach. Even if passwords aren’t stolen in an attack, updating account passwords and eliminating password reuse is an important first step in mitigating additional damage.
- Review your payment card statements for unauthorized activity, and report any unauthorized activity immediately to your bank. Because Marriott is unsure whether payment information was stolen or not, keep an eye on your statements, and notify your bank right away should you see anything suspicious.
- Beware of phishing emails, texts, or calls that are related to the hack. Cybercriminals are very clever about using a recent breach or hack to solicit sensitive information from affected users. Be skeptical of any communication you receive regarding the attack, and don’t provide any personal or account information without confirming that the communication is from Marriott and not from a scammer.
- If you believe you’re the victim of identity theft, contact local law enforcement. After attacks like these, it’s not unusual for affected users to become victims of identity theft. Monitor your credit for any suspicious activity, and act quickly should you find anything out of the ordinary.
If you’re a Dashlane user, you’ll receive a security alert to notify you if your password needs to be changed, and you can update your password easily by using our Password Generator. Premium Plus users can use our identity protection services, which cover credit monitoring and alerts, identity restoration support, and Identity Theft Insurance.
If you have any additional questions, feel free to ask them below, and we’ll do our best to answer them.