WASHINGTON — The personal information of up to 500 million customers of the Marriott hotel empire, including their credit card and passport numbers, has been compromised in a massive data breach that stretches back to 2014, the company announced.
It’s one of the largest data breaches ever. But it’s not all that surprising, according to Brian Krebs, the cybercrime expert behind KrebsOnSecurity.
The latest breach affected hotel brands that were operated by Starwood, before that company was acquired by Marriott in 2016 — including W Hotels, St. Regis, Sheraton, Westin and others.
“Unfortunately, this is not super-uncommon for hotel chains, like Marriott and Starwood, which actually disclosed a breach back in 2015, stretching into 2014,” Krebs told WTOP.
Marriott has set up a dedicated website and call center for customers who were notified by email that they were affected by the breach. In addition, the hotel giant is offering customers a year of free service from WebWatcher, which is run by the data security firm, Kroll. WebWatcher monitors the so-called “dark web” where personal information is illegally sold.
Beyond that, what else can affected customers do?
Unfortunately, not a whole lot, Krebs said.
“The hotel industry really needs to get its act together on security and, unfortunately, this is only the latest incident of a hotel chain having multiple breaches over several periods of years,” Krebs said. “I guess unless consumers start voting with their wallet, I don’t know what else they can do.”
After years of big breaches, Krebs said people should assume that some of their personal data — including credit card information — is already for sale in the cybercrime underworld.
“When it comes to your personal information, you’re responsible for paying attention to this stuff. So you need to be paying very close attention to what’s in your credit card statement. And the best you can do is really just try to dispute anything that you don’t do.”
Another tool at your disposal? Consider freezing your credit file, so cyber criminals can’t open fraudulent lines of credit in your name, Krebs said.
You might also want to consider using your credit card more — instead of your debit card.
“Yeah, they have the same loss-liability guarantees, but there’s a lot more involved when somebody takes your money and then you have kind of grovel to the bank for a couple weeks to get it back. And also on top of that, is the bank going to reimburse you for all the fees that these third-parties charge you for bouncing checks? Probably not.”