On Friday, Marriott announced that the guest reservation database for it’s Starwood Hotels (which includes the Westin and St. Regis hotel chains) had suffered a massive data breach, affecting the records of an estimated 500 million U.S. customers going back to 2014. The scale of this most recent data breach is almost unprecedented, with only Yahoo’s 2013 breach surpassing it at 3 billion affected. Compare this to the largest recent breaches such as the Equifax data breach from last year (which affected 143 million consumers), and the Under Armor MyFitnessPal breach, affecting 150 million users.
What Happened At Marriott And How Does It Affect Me?
Of the announced 500 million leaked customer data files, 327 million had sensitive information compromised including names, mailing addresses, birthdates, passport information, email address and phone numbers. This is all a dream come true for identity thieves.
While many will call out that credit card information was obtained by criminals from the Marriott breach, consumers are largely shielded from risk due to the limited liability they have from diligently reported fraudulent transactions. The real danger is the other personal information that was compromised.
It seems that “Starwood Preferred Guest” did not apply a core principle of sound security: “assuming a state of compromise”. Security teams should operate defenses in a way that assumes security incidents will happen, and while not neglecting prevention, ensure that proper detection and response strategies are also in place.
With that in mind, it is time for individuals to also assume “a state of compromise” and apply a personal protection strategy that assumes criminals are likely to have very detailed files on you. Due to the number of breaches that have occurred with major corporations over the last few years, it’s fairly safe to assume that at least some of your personal information is no longer completely private.
Immediate Steps To Protect Yourself From Data Breaches
Whether you have or have not been affected by the Marriott data breach (or any other one), here are some of the things you can do right now to help mitigate the risks associated with these types of events.
Monitor Everything, Monitor Often
Defending yourself against hackers requires you to quickly identify anything suspicious happening with your accounts or your identity:
- Sometimes, logging into your many different banking and credit card accounts can be dangerous. Fraudsters can gain access to your information by hacking into public WiFi or creating fake wireless networks in places like cafes or airports. This is where it becomes useful to have one place to monitor all of your accounts. Your Personal Capital dashboard allows you to monitor transactions across all accounts very easily and securely. If you detect something fraudulent, promptly report to the card company and you should have very little consequences.
- Use a credit monitoring service (we like Credit Karma – and it’s free!) to monitor new accounts that may be opened under your name. Again, report promptly if you notice anything unusual. While Marriott (and every breached company) offers you a service for this, our take is that the multiplication of your sensitive data across all of these different services may actually create more opportunities for it to be stolen. Pick a service you like and stick with it.
- You are entitled to a free copy of your credit report yearly, so take advantage of this and review it thoroughly. Put a yearly reminder on your calendar so that you can consistently monitor your credit report.
- Be on the lookout for phishing related to this data breach. Every time there is a large and well-publicized security event, criminals will try to leverage public knowledge of this to phish individuals. Don’t click on anything claiming to be from Marriott or Starwood Preferred Guest, however dramatic it may read. Call instead.
Lock Down Your Digital Identity
If you are concerned that your data may be compromised and that you may be at risk for identity theft, here are some steps you can take. Again, it’s generally best for people to assume their data has been compromised in some way given the rampant nature of digital fraud — so these tips are worth considering even if you don’t think you’ve been affected by a recent breach:
- Freeze your credit file – Reach out to credit agencies (Equifax, Transunion, Experian and Innovis) and request that your file be put on a “security freeze” (not a lock). This is one of the most effective options for preventing identity theft since it will prevent anyone from opening new accounts in your name (including yourself). This option is generally not widely publicized since the industry wants you to open more accounts. Should you need to open new credit accounts for your own benefit, you would need to unfreeze and refreeze your accounts. In some cases, unfreezing may take some time, so plan ahead if you are planning for a new car, house or credit card. Since last September, this is now free.
- Plant Your Flag – Initially coined by security reporter Brian Krebs, this strategy involves making sure that you’ve “claimed” all your critical online accounts. Some folks, especially older people, avoid online accounts for their financial and banking services under the assumption that what’s not online can’t be hacked. Unfortunately, however, accounts that remain “unclaimed” online are easy targets for a cybercriminal who may have access to your sensitive personal information. Registering for an online banking account or an account with other government agencies is easy with a social security number, date of birth, name and mailing address. If you have already registered, they can’t claim your accounts. Make sure you have claimed and created passwords for at least the following services: Internal Revenue Service, Social Security Administration, the U.S. Postal Service, and your primary bank.
- Password Like A Pro – Most people will advise you to “not reuse passwords” or “use super-complicated passwords” in the wake of such an event. While this is not bad advice, it usually falls short on the how to make this practical. Here’s how to effectively change how you manage your passwords:
- Get a password manager tool (see Lifehacker’s reviews for insight).
- Secure your password manager with a long passphrase that you will not forget. “Matt likes to dance in the rain” is better than “[email protected]%.”
- Once this is implemented, change your passwords to long passwords and unique ones that will be stored in your password manager (start with your Marriott password and anywhere else you may have used it).
- Lock down your email with MFA – Multi-Factor Authentication (or MFA) is a login technology that adds another layer of security on top of your password. Examples of MFA you may have seen are SMS codes (Gmail, for example, will text you a unique code when you log into your email from a new device), or mobile apps that generate unique codes. Your primary email is extremely sensitive as it can be used to hack into many of your accounts via “Forgot my Password” features. If you only do one MFA, do this on your primary email.
Are My Personal Capital Accounts At Risk?
This breach does not affect Personal Capital in any direct way. Personal Capital is protected by 2-factor authentication, and does not store any of your bank account numbers or passwords.
Whether you are a user of our free financial tools or a client of our wealth management services, security is a key priority for us, and we make every effort to protect your information. You can review key security measures we have in place on our Security Page and our security team can always engage directly with clients who have specific concerns.
Disclaimer: Any reference to the advisory services refers to Personal Capital Advisors Corporation, a subsidiary of Personal Capital Corporation. Personal Capital Advisors Corporation is a registered investment advisor with the Securities Exchange Commission (“SEC”). SEC registration does not imply a certain level of skill or training.
The content contained in this blog post is intended for general informational purposes only and is not meant to constitute legal, tax, accounting or investment advice. You should consult a qualified legal or tax professional regarding your specific situation. Keep in mind that investing involves risk. The value of your investment will fluctuate over time and you may gain or lose money.
Any reference to the advisory services refers to Personal Capital Advisors Corporation, a subsidiary of Personal Capital. Personal Capital Advisors Corporation is an investment adviser registered with the Securities and Exchange Commission (SEC). Registration does not imply a certain level of skill or training nor does it imply endorsement by the SEC.