Marriott breach: How to protect yourself if you stayed at a Starwood hotel
If you stayed at one of Marriott's Starwood properties, it's possible your data has been compromised in the massive data breach disclosed by the company Friday. The hotel chain said about 500 million guests who booked reservations at its Starwood properties could have had information such as their birth dates, addresses and even passport numbers stolen.
That could let criminals open fraudulent accounts in your name, or even allow thieves to target your home if they know when you're planning a trip.
It's wise to assume that your data is already available to fraudsters and take steps to protect yourself, said Mike Litt, consumer campaign director for the U.S. PIRG Education Fund, in an email.
Below are five tips from security experts on how to minimize your exposure after the Marriott breach.
1. Change your passwords
First, change your passwords for sites that store personal information, such as social networks and e-commerce sites.
Make sure your passwords are distinct because hackers will try "credentials stuffing," or using stolen usernames and passwords in automated requests for logins across different sites, said Anthony James, vice president of CipherCloud. He said the practice is now a "commonly used practice" among cyber criminals.
"Passwords should be unique to each account and two-factor authentication should be enabled wherever possible," said Paul Bischoff, a privacy advocate with Comparitech.com, in an email. Two-factor authentication is when a site asks for two pieces of data to verify your identity, such as a password and a PIN texted to your phone.
2. Freeze your credit
Security experts recommend freezing your credit to prevent fraudsters from opening new accounts in your name.
"The info taken from Starwood is very significant. The worst thing bad guys could do with the kind of information that was stolen would be to use your name, address and date of birth to open a credit account," said Ted Rossman of CreditCards.com.
Credit freezes block new creditors from accessing your payment history, which means lenders won't extend new credit.
The good news is that credit freezes are now free for all consumers, thanks to a law that passed in the wake of the Equifax data breach. But it takes some legwork as consumers must place separate freezes at each of the three major credit reporting bureaus. And if you want to take out a new credit card, a mortgage or other credit product, you'll need to lift the credit freeze at each bureau.
Here's where to reach each of the bureaus to request a freeze:
3. Use contactless payment
Experts suggest using contactless payment methods — such as Apple Pay — whenever possible.
"Everytime you swipe your credit card, it will be tracked by a merchant's system, so if they are hacked, your credit card will be accessed," said Wallarm CEO Ivan Novikov. "I recommend using Apple Pay, Google Pay or whatever kind of contactless payment method is available on your phone."
Contactless credit cards, which are popular in Europe, work just as well, as do money transfer applications such as PayPal and Venmo, he added.
4. Monitor credit card activity
Every unauthorized charge should be reported, no matter the size. That's because criminals make small charges to check whether a stolen card is still active.
"Keep an eye on your credit card activity and report suspicious activity immediately. Small charges of a few cents should not be overlooked," Bischoff said.
5. Beware of suspicious emails
Hackers could have access to the type of information Marriott relies on to create a customized experience, including your spouse's name, number of children and even your sleeping habits.
"All these things that hotels collect to make your experience more personalized are also things that sophisticated attackers can use to make their attacks more personalized," said privacy attorney Paige Boshell.
She added, "It can help a phisher figure out a way to address an email to you such that you will let your guard down. You are more likely to respond to someone who appears to know you."
Hackers may also try to impersonate Marriott in phishing campaigns to wheedle more information out of you. Marriott said it will notify impacted customers from this email address: starwoodhotels@email-marriott.com. Otherwise, ignore unsolicited requests for information by email, links, phone calls, pop-up windows or text messages, Litt of U.S. PIRG said.