Marriott Hack

As many of you may have read by now, Marriot has announced that their Starwood reservation database was hacked, putting upwards of 500 million records potentially compromised. Marriott (which acquired Starwood hotels in 2016) is one of the largest hotel chains in the world. Anyone who made a reservation for a Starwood property on or before September 18, 2018 may have been compromised. This includes names, credit card numbers, birth dates, arrival and check out dates, and potentially passport numbers.  

This is a big deal. If your credit card gets compromised, that can be changed. Passport numbers, birth dates, and full names are MUCH harder to change.  Like all major incidents, be prepared for the details to change over the coming days as new information is learned and shared.  Events like these are a great opportunity to engage your workforce, help them out and reinforce key security behaviors.  As you communicate here are two key points to keep in mind.

  • Stick to the Known Facts.  There will be a growing number of guesses, finger pointing, and opinions in the coming days. Avoid sharing those details as most will be wrong and/or changing.
  • This is Not the Victim's Fault.  Big incidents like this are a growing problem in the age of big data.  Companies collect a huge amount of data about people, data that people have no control over nor can they do anything to protect it.  That subject will be shelved for a whole different discussion.

So, what can you tell your people do to protect themselves? First, Marriott has created a website where people can educate themselves about the incident.  One of the options they offer is people can register a free account at WebWatcher. This is a service that will notify people if their data has been compromised or is being used by cybercriminals.  

While this service is helpful, here are four steps that you can recommend for anyone in your workforce who has made a

Marriott Hack 2

reservation at a Starwood hotel (W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels).

  1. Monitor Financial Accounts:  Watch your credit card accounts carefully.  Many of them have a service where they notify you (via text or email) if credit card charge is over a certain limit or can send you daily reports of your financial activity.  We highly recommend you enable at least one of these.  You are looking to make sure there are no unauthorized transactions in the coming weeks.
  2. Marriott / Starwood Accounts. If you have an account on the Marriott/Starwood site, change your password. Even if your account has not been reported as compromised, play it safe.  In addition, be sure to visit the Marriott website for information on how to setup for their free WebWatcher service.
  3. Security Freeze: One of the risks with so much personal information compromised is that cybercriminals can use that information for identity fraud.  A Security Freeze is one of the most effective steps you can take to protect yourself. Unfortunately, few people know about it.  A security freeze locks your credit score so no one can access them.  This means that while your credit score is frozen no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you) a loan or credit card. The challenge is you have to manually set up a security freeze with each of the four credit bureaus.  In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service.  Then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding write-up of what a Security Freeze is and how to get one for free.  
  4. Social Engineering Attacks: Warn people that in the coming days/weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls or text messages trying to fool people.  For example, Marriott will never ask you to provide your password by phone or email.  A great source to keep people updated is the free OUCH! Security Awareness newsletter.

If you do get hit with Identity Fraud, the FTC has created a very impressive site to help you recover. The Marriott situation will be fluid, expect new updates and findings over the coming days.  However, the behaviors we cover above apply regardless of how the situation changes, so we recommend you focus on those.


Use this incident as an opportunity to educate others on how to avoid these situations from happening again. Our SANS Security Awareness EndUser Training has been expertly crafted to instill learning principles to easily effect change at your organization.

Schedule a demo to learn more about the SANS Security Awareness EndUser Training

EndUser Demo