Marriott International disclosed a massive data breach centered on the online reservation network for its Starwood Hotels brand. The unauthorized access purportedly stretched from 2014 through this November, compromising the names, mailing addresses, phone numbers, email addresses, passport numbers, and Starwood Preferred Guest account information of nearly 500 million customers. In addition, some credit card numbers and expiration dates were revealed, although initial audits indicate that those payment card numbers remained encrypted, however.
Exactly how the breach occurred is yet to be determined. But in September, an internal cybersecurity assessment alerted Marriott employees to the fact that unauthorized parties may have been copying and encrypting customer information. In addition to Starwood Hotels, other affected brands included Westin, Sheraton, Four Points by Sheraton, The Luxury Collection, W Hotels, St. Regis, Le Méridien, Aloft, Element, Tribute Portfolio, and Design Hotels.
Although the announcement of this breach might come as no surprise to cybersecurity experts and data privacy advocates, the effects rippled out in surprising ways. On Friday, November 30, immediately after the news was revealed, Marriott’s stock fell roughly 5%, highlighting the fact that data breaches and identity theft can negatively affect even a storied brand’s reputation and business performance.
More details are sure to emerge about both the breach itself and Marriott’s efforts to contain the damage, which could lead to enormous cleanup costs, along with civil and/or criminal penalties. Many cybersecurity experts think this breach could be the first real test of stringent new GDPR regulations that require companies to alert government authorities within 72 hours of a known hack.
For now, the number of customers affected in this Marriott breach is staggeringly high, ranking near some of the worst data breaches in history. That includes Yahoo and Equifax; the latter company, a credit bureau, has spent $400 million in recovery efforts after its own breach, which affected 148 million people.
As of this writing, Marriott had set up a dedicated website and call center to deal with inquiries from guests concerned about the theft of their personal information. Marriott said it would conduct outreach efforts to affected customers and announced its plan to offer customers in the United States, Canada, and Britain one year of free enrollment in Web Watcher, a service that tracks black-market sites that traffic in stolen information.
Without knowing what exactly caused this breach, CMIT Solutions recommends the following strategies if you think you or your company has been affected by the Marriott breach:
1) Change any passwords associated with your Marriott account.
This includes the creation of strong and unique passwords that rely on a random mixture of upper-and lower-case letters, numbers, and symbols. It also includes smart management of the passwords you create: using two-factor authentication whenever possible, employing a password management tool, and monitoring social media accounts and email addresses (especially those you don’t use very often) for unusual activity. If you have questions about this crucial step, reach out to a trusted IT provider.
2) Put comprehensive network security to work for you.
CMIT Solutions’ treats cybersecurity as a proactive pursuit, not a reactive one. First, we conduct cybersecurity risk assessments that identify any potential vulnerabilities. Then, we monitor client systems 24×7 so that we can identify, prevent, and resolve issues before they affect productivity, efficiency, and security — not after they’ve already had a negative impact. From firewalls and data encryption to content filtering and anti-virus, we believe a multi-layered “umbrella” approach gives businesses the best chance to survive and thrive in today’s cybersecurity landscape.
3) Back up your data NOW (and then again and again).
Your business should consider the protection of its valuable information job #1 — just like you take the security of your personal accounts seriously. Data backup and disaster recovery procedures are integral to business success — the Small Business Administration estimates that 45% of companies that suffer from data loss will never recover. Is your data backed up? If so, in what manner and on what kind of medium? How long could your business operate without its critical data? If a natural or manmade catastrophe strikes, how quickly could you recover that data (assuming it’s even backed up)? These are questions you and a trusted IT provider need to ask now, not in the heat of the moment.
Last week’s Marriott breach reflects the fact that we can’t take the safety and security of our data for granted. If you need protection for your computers, smartphones, network devices, or business information, contact CMIT Solutions today. If you’re unsure about whether the Marriott breach affected you or just worried about the next inevitable hack, CMIT can help. We worry about IT issues so you don’t have to — and we believe that technology can transform your business, not impede it.