A security breach at Marriott's Starwood-branded hotels may have exposed the personal information—and possibly payment-card information—of as many as 500 million guests worldwide. Affected hotel brands include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, Le Méridien and Four Points.
While the unauthorized access had been discovered by Marriott on Sept. 8, 2018, details of the hotel security breach were not announced by Marriott until Friday, Nov. 30, 2018, following an investigation. The company said it would soon begin following up with customers whose information was impacted.
News that the personal information of up to 500 million Starwood guests may have been compromised is sure to send a chill down the spines of meeting planners and the organizations they work for.
Marriott President and CEO Arne Sorenson issued the following statement:
“We deeply regret this incident happened,” Sorenson said in the written public statement from Marriott. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
“Today, Marriott is reaffirming our commitment to our guests around the world,” he continued. “We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Marriott has set up a website for customers to inquire about the breach: https://answers.kroll.com.
While it's impossible to completely safeguard yourself and attendees against data breaches, especially those involving stays at major hotels, there are some general best practices that planners can follow to prevent cybersecurity calamities, such as the Marriott data breach, at their own meetings and events.
Meeting planners should take the following precautions to shore up their cybersecurity:
- Understand what types of information you hold.
- Ask the right questions.
- Employ the right resources (internal or third-party).
- Use the right behavior (before, during and after an event).
- Modify agreements to address cybersecurity.
- Avoid USBs unless you know where they’re from and disable USB ports and Windows Help/Microsoft Support options at registration kiosks.
- Collect presentations in advance.
- Inform participants of social media policies.
- Have protocols for how to display business intelligence.
- Disconnect from the internet if it is not needed.
- Run registration information at a local level.
To protect credit card data, consider the following cybersecurity measures:
- Know how to recognize legitimate hotel booking sites.
- Don’t store information that you don’t need (called tokenization).
- Be careful about how you collect and give credit card information and consider using paper for on-site registration forms. Though realize paper registration forms also come with risk!
More tips for shoring up your cybersecurity at meetings and events are available here.
Meanwhile, Marriott said it has taken the following steps to help guests monitor and protect their information and also suggested some other helpful advice for those who fear their data is at risk.
Dedicated Website and Call Center for Marriott Guests
We have established a dedicated website (info.starwoodhotels.com) and call center to answer questions you may have about this incident. The frequently-asked questions on the dedicated website may be supplemented from time to time. The call center is open seven days a week and is available in multiple languages.
Call volume may be high, and we appreciate your patience.
Email Notification to Affected Guests
Marriott will begin sending emails on a rolling basis starting [Friday], November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.
Free WebWatcher Enrollment for Guests
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year.
WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.
Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries.
Guests from the United States who activate WebWatcher will also be provided fraud consultation services and reimbursement coverage for free. To activate WebWatcher, visit info.starwoodhotels.com.
Additionally, according to credit and loan management website Credit Sesame, consumers should take the following five steps if they have been a victim of identity theft in order to prevent further damage:
Action Item No. 1: Contact Any Institution Directly Affected
If you know your credit card was stolen, report the theft to the credit card issuer. If your checkbook or debit card was stolen, contact your bank. For this step it’s really helpful if you’ve prepared a list of institutions and phone numbers in advance. Don’t write down account numbers, PINs or passwords—that would be just one more way for a thief to gain access to your personal information. But know what you’ve got.
Keep a list of what’s in your wallet, along with the contact information for each item.
The best place to keep this list is on an encrypted secure online file storage site.
Action Item No. 2: Contact the Federal Trade Commission (FTC)
File an Identity Theft Affidavit and a police report (see No. 4 below), and create an Identity Theft Report. You can file your report online, by phone (toll-free): 1-877-ID THEFT (877-438-4338); TDD (toll-free): 1-866-653-4261, or by mail—600 Pennsylvania Ave., Washington DC 20580.
The FTC will provide you with information about what to do next, depending on the type of fraud.
Action Item No. 3: File a Police Report
To complete the Identity Theft Report, you’ll need to contact your local law enforcement office and report the theft. Be sure to get a copy of the police report and/or the report number. Both your police report and the FTC Identity Theft Affidavit combine to create your Identity Theft Report.
Your Identity Theft Report will help you when working with the credit reporting agencies or any other entities the identity thief may have contacted to open accounts in your name.
Action Item No. 4: Protect Your Social Security Number
If your social security number was or may have been compromised, contact the Social Security Administration (800-269-0271) and the Internal Revenue Service (800-829-0433).
Action Item No. 5: Contact the Post Office
If you have reason to believe the identity thief may have submitted a fraudulent change-of-address to the post office or has used the U.S. mail to commit the fraud against you, contact the Postal Inspection Service, which is the law enforcement and security branch of the post office.
Two Cents, the financial advice section of the Lifehacker website, also provided some general tips for what to do in the event of a data breach that planners, suppliers or attendees may find useful.
No matter how much planners prepare, data breaches are bound to happen in our increasingly digitized world. However, it’s still important that meeting planners establish duty of care protocols to protect attendees.
Related Reading on Risk Management From Meetings Today: