Marriott's Starwood customers should 'assume the worst' following hack
As many as 500 million hotel guests may have had their data compromised
Potential victims of the breach of Marriott’s Starwood reservation database “should assume the worst” and take necessary precautions, according to John Shier, senior security advisor at Sophos, a UK-headquartered cyber security and hardware firm.
Last week, Marriott International said that as many as 500 million hotel guests may have had their data compromised by the hack after it found that unauthorised access to its systems dated back as far as 2014. Hotels in the Starwood network include Sheraton, Four Points by Sheraton and W Hotels.
Shier said that the potential fall-out of the data breach “should be alarming to anyone who has stayed at a Starwood property in the last four years.”
“Not only are guests at risk for opportunistic phishing attacks, but targeting phishing emails are almost certain, as well as phone scams and potential financial fraud,” he said. “Unlike previous breaches, this attack also included passport numbers for some individuals who are now at increased risk for identity theft.”
While Shier said that it remains unclear what level of exposure each individual victim has been subject to, he recommended that potential victims take a number of security precautions, such as being on the alert for potentially malicious e-mails, including “opportunistic phishing” emails purporting to be from Marriott or Starwood hotels.
Additionally, Shier recommended that Starwood customers monitor their financial and Starwood Preferred Guest account accounts, as the attacker may have gained access to encrypted credit card information.
“Change the password to your online credit card account,” he said. “If you use the same password for similar financial management websites, immediately change the password on those websites.”
In a statement announcing the security breach, Marriott International said it was providing guests the opportunity to enrol – free of charge for one year – in WebWatcher, which monitors internet sites where personal information is shared and generates an alert if evidence of the consumer’s personal information is found.
While Marriott provided a link to activate WebWatcher, Shier warned customers to not search for it online.
“Don’t Google it. If you Google ‘WebWatcher’, you won’t find the monitoring service, you’ll find lots of links to spyware of the same name,” he said. “Don’t sign up for that.”