Earlier this week, Marriott reported a major data breach — its second in less than two years — this time involving information from more than 5 million customers.
The exposed data includes name and contact information, as well as other personal details, according to a Marriott International press release.
This is the hotel giant’s second data breach in less than two years. The last was in late 2018, when the company experienced a massive breach that affected about 500 million customers.
Read on to learn more about Marriott’s latest data breach and what to do if you’re worried about the security of your online data.
- Who and what information did this breach affect?
- How did the breach happen?
- What’s Marriott doing about it?
- What can you do if you’re concerned about your data security online?
Who and what information did this breach affect?
The breach exposed the information of about 5.2 million customers across Marriott-owned properties, according to a Marriott internal investigation.
Marriott says the following types of information may have been exposed:
- Contact details (such as name, mailing address, email and phone number)
- Personal details (such as company affiliation, gender, and birthday day and month)
- Loyalty account details (such as account numbers and linked airline programs)
- Guest preferences (such as language and stay/room preferences)
How did this breach happen?
Marriott says that in late February it learned that the login credentials of two employees at one of its franchise properties may have been used to gain access to guest information. The company believes the guest information was accessed starting in mid-January 2020 and says the employees’ login credentials were disabled as soon as the breach was discovered.
What’s Marriott doing about it?
The company notes that it disabled the Marriott Bonvoy passwords of the customers whose information was breached. Customers will be prompted to change their password and set up multifactor authentication when they log back into their account.
Marriott says it emailed guests it believes were affected, and that it also established dedicated call center resources. In the U.S. and Canada, the number is 1-800-598-9655.
Marriott is offering customers the option to enroll in a personal information monitoring service called IdentityWorks for one year free of charge.
Marriott has set up some online resources for customers who think they may have been part of the breach. The company has set up an informational page to answer questions about the breach.
It’s also created an online search tool where you can enter your information, including your Bonvoy number if you have one, to find out whether you were impacted and what type of information may have been exposed.
What can you do if you’re worried about your data security online?
Marriott points out that any communication on the breach you receive via email should come from its official email used to communicate with guests: marriott@email-marriott.com. Make sure you check that email communications claiming to be from Marriott are from this address.
In addition, there are some general best practices you can follow to keep your data safer online.
- Monitor your credit reports and consider a credit freeze. You can get free credit monitoring if you’re a Credit Karma member. We’ll notify you if we see important changes on your Equifax or TransUnion credit reports so that you can check for suspicious activity. You can also ask the three major consumer credit bureaus — Equifax, Experian and TransUnion — to freeze or lock your credit reports for free at any time.
- Keep your passwords secure. It can be tempting to use the same password across multiple sites or to use simple passwords like your name or birthday — but that’s not the best way to keep your information secure. A password made up of multiple short words or phrases might be tougher for hackers to crack. You might consider using a password manager to help keep track of all your passwords.
- Add multifactor authentication. For an added layer of protection, think about putting two-factor authentication in place for any site or account that offers it. This will require you to first log in with your password, then confirm your identity by entering a code often sent to you via email or text.