The Marriott-Starwood data breach, disclosed in late 2018, was one of the largest in history, impacting hundreds of millions of guests. It exposed a vast array of personal information, from names and addresses to passport numbers and credit card details. This incident served as a stark reminder of the critical importance of robust cybersecurity, especially in the context of mergers and acquisitions. Marriott's response was a multi-faceted approach, aiming to contain the damage, inform those affected, and prevent future occurrences.
Are you worried about your personal data online, especially with recent news of data breaches? You're not alone! The Marriott-Starwood incident highlights just how vulnerable our information can be. Let's delve into how Marriott handled this massive cybersecurity crisis, providing you with a step-by-step guide to their response and what we can all learn from it.
Step 1: Initial Discovery and Internal Investigation
The first critical phase in any data breach response is the discovery and understanding of the incident.
-
How it Started: Marriott detected suspicious activity on its Starwood guest reservation database in September 2018. This was a crucial first alert from an internal security tool.
-
Rapid Mobilization: Upon detection, Marriott immediately engaged "leading security experts" to conduct a thorough internal investigation. The goal was to understand the scope, duration, and nature of the unauthorized access.
-
Unveiling the Extent: This investigation revealed that the Starwood network had been compromised as far back as 2014, before Marriott even acquired Starwood in 2016. This meant the attackers had been present in the system for years, extracting an immense amount of data. The sheer scale was staggering, potentially affecting up to 500 million guest records.
Tip: Stop when you find something useful.
 |
| How Did Marriott Respond To The Breach |
Step 2: Immediate Containment and Remediation
Once the breach was confirmed, Marriott's priority was to stop the bleeding and secure their systems.
-
Containment Efforts: Marriott worked diligently with its security experts to contain the intrusion and prevent further unauthorized access. This involved identifying and closing off the entry points the attackers used.
-
System Overhaul (Starwood Network): A key aspect of the remediation was addressing the vulnerabilities within the legacy Starwood IT infrastructure. While Marriott had kept the Starwood and Marriott networks separate post-acquisition, the breach underscored the need for significant security enhancements to the Starwood system, eventually leading to its decommissioning.
-
Patching and Hardening: The investigation likely identified specific weaknesses, such as outdated software, inadequate password controls, or insufficient multi-factor authentication. Marriott would have undertaken efforts to patch these vulnerabilities and strengthen their overall security posture.
Step 3: Notification and Communication Strategy
Transparency and timely communication are paramount in maintaining trust during a data breach.
Tip: Focus on clarity, not speed.
-
Public Announcement: On November 30, 2018, Marriott publicly announced the data breach, acknowledging the severity of the incident. This was a critical step in fulfilling their legal and ethical obligations.
-
Direct Customer Notification: Marriott began sending emails on a rolling basis to affected guests whose email addresses were in the Starwood guest reservation database. This direct communication aimed to inform individuals whose personal information may have been compromised.
-
Dedicated Resources for Guests:
-
Website: Marriott established a dedicated website to provide information about the breach, answer common questions, and guide affected individuals on steps they could take.
-
Customer Hotline: A dedicated call center was also set up, available seven days a week and in multiple languages, to address guest inquiries and provide support.
-
-
Regulatory Authorities: Marriott promptly alerted global regulatory authorities about the breach, including the U.S. Federal Trade Commission (FTC) and the UK Information Commissioner's Office (ICO), among others. This initiated extensive investigations and eventual penalties.
Step 4: Offering Support and Protective Measures to Affected Individuals
Beyond notification, providing tools and resources for protection is crucial.
-
Free WebWatcher Enrollment: Marriott offered affected guests a free one-year enrollment in WebWatcher. This service monitors internet sites where personal information is shared and alerts consumers if their data is found.
-
Fraud Consultation & Reimbursement: For U.S. guests who enrolled in WebWatcher, Marriott also provided fraud consultation services and reimbursement coverage. This aimed to mitigate the potential financial impact of identity theft.
-
Guidance on Personal Security: While not explicitly mandated by Marriott, the company's communication and public advice encouraged affected individuals to:
-
Change passwords: Especially for their Starwood Preferred Guest (SPG) accounts and any other online accounts where they might have reused passwords.
-
Enable Multi-Factor Authentication (MFA): A crucial step to add an extra layer of security beyond just a password.
-
Monitor accounts: Encouraging guests to keep a close eye on their credit reports and bank statements for any suspicious activity.
-
Be wary of phishing attempts: As sophisticated phishing emails often follow data breaches.
-
Step 5: Post-Breach Compliance and Long-Term Security Enhancements
Tip: Don’t skip — flow matters.
The response extends far beyond the immediate aftermath, involving significant systemic changes and regulatory compliance.
-
Independent Third-Party Assessments: As part of settlements with various regulatory bodies (like the FTC and state attorneys general), Marriott committed to independent third-party assessments of its information security program every two years for a period of 20 years. This ensures ongoing oversight and improvement.
-
Comprehensive Information Security Program: Marriott was required to implement a robust and comprehensive Information Security Program. This included:
-
Regular security reporting to the highest levels within the company, including the CEO.
-
Enhanced employee training on data handling and security best practices.
-
Improved password controls, access controls, firewall controls, and network segmentation.
-
Adequate logging and monitoring of network environments to detect anomalies sooner.
-
Wider deployment of multi-factor authentication.
-
-
Data Minimization and Disposal: Marriott was mandated to implement policies for data minimization and disposal, meaning they would collect and retain personal information only for as long as reasonably necessary for its intended purpose, reducing the attack surface.
-
Enhanced Vendor and Franchisee Oversight: Recognizing that breaches can originate from third-party vendors or franchised properties, Marriott had to increase its oversight of critical IT vendors and franchisees, including conducting risk assessments and ensuring clear contractual obligations for security.
-
Loyalty Rewards Account Protection: Marriott was required to provide methods for customers to request review of unauthorized activity in their Marriott Bonvoy loyalty rewards accounts and to restore any stolen loyalty points. They also implemented multi-factor authentication for these accounts.
-
Class-Action Lawsuits and Settlements: Marriott faced, and continues to navigate, numerous class-action lawsuits from affected individuals. They have reached significant settlements, agreeing to pay penalties (e.g., $52 million to 49 states and the District of Columbia) and to implement the aforementioned security improvements. These legal pressures further reinforce the need for robust security.
10 Related FAQ Questions
How to know if your data was affected by the Marriott breach? Marriott initially sent email notifications to affected guests. While the dedicated website may no longer be active, you can check reputable data breach notification services like "Have I Been Pwned" or contact Marriott's customer support directly for information related to your account.
How to change your Marriott Bonvoy password after a breach? Visit the Marriott Bonvoy website or app, navigate to your account settings, and select the option to change your password. Choose a strong, unique password that you haven't used on any other platform.
Tip: The details are worth a second look.
How to enable multi-factor authentication (MFA) for your Marriott account? Log in to your Marriott Bonvoy account, go to your security settings, and look for an option to enable multi-factor authentication. This usually involves linking your account to an authenticator app or receiving a code via SMS.
How to monitor your credit for suspicious activity after a data breach? Regularly check your credit reports from the three major credit bureaus (Equifax, Experian, TransUnion) for any unauthorized accounts or inquiries. You can also sign up for free credit monitoring services, if offered by the breached company or your financial institutions.
How to freeze your credit after a data breach? Contact each of the three major credit bureaus (Equifax, Experian, TransUnion) individually to place a credit freeze on your files. This prevents new credit from being opened in your name without your explicit permission.
How to identify and avoid phishing attempts related to data breaches? Be highly suspicious of unsolicited emails or messages asking for personal information, even if they appear to be from a legitimate company. Look for grammatical errors, generic greetings, and suspicious links. Always go directly to the company's official website if you need to access your account or verify information.
How to protect your passport number after a data breach? While you cannot "change" your passport number, monitor your identity for any signs of passport fraud. Report any suspicious activity to your local law enforcement and the relevant passport issuing authority immediately.
How to minimize the risk of identity theft after a data breach? Beyond changing passwords and enabling MFA, consider placing a fraud alert on your credit files, regularly reviewing financial statements, and being cautious about sharing personal information online.
How to file a complaint if you believe you were harmed by the Marriott data breach? You can contact your state's Attorney General's office or consumer protection agency. You may also consult with a legal professional to discuss options for joining class-action lawsuits or pursuing individual claims.
How to stay informed about future data breaches and cybersecurity best practices? Follow reputable cybersecurity news sources, sign up for data breach notification services, and regularly review privacy policies of the services you use. Educating yourself on common cyber threats is your best defense.
 |
