After the Marriott Breach, What Now? Can You Protect Yourself?

December 3, 2018 | rjmcgarvey | InfoSec, Travel

 

By Robert McGarvey

 

Another day, another hotel breach. Face reality. Hoteliers suck at protecting your data. There is no gentle way to put that. They really, really stink.

Hotel News Now has a piece that explores the many hotel data breaches over the last decade. Read it and weep because it is your data that now is in play on the dark web.  

Can you in fact stay in hotels and protect yourself? Maybe, we offer tips below. But, first, feast on how inept hoteliers are at data security.

Hotels treat your personal data – name, address, credit card numbers, passport info – the way a deadbeat treats yet another bill collection notice.  

HNN traces the history back to 2010 when there was a big Wyndham data breach. That prompted an FTC suit against Wyndham that eventually was settled. I covered this and, honestly, I find it increasingly tiresome to write about the hotel industry’s cluelessness, or maybe just indifference, to guest data security.

Along the way White Lodging, a management company, had data breaches. So did Trump. Mandarin Oriental.  Hilton. Hard Rock. Kimpton. Noble House. IHC. Sabre.Hyatt. Radisson. Many more.

And now there’s Marriott where maybe 500 million guests were compromised. Apparently because of Starwood data insecurities.

Marriott has not been forthcoming about specific details pertaining to the breach.  It has said it is notifying customers who have fallen victim – so expect a phone call, or email, if you’ve stayed at a  Starwood in memory. (For the record here’s the company statement on the breach.)

Word of immediate advice: right now go and check any rewards accounts you maintain at Marriott.  There are suggestions that maybe these crooks were after those points – there is no confirmation on that front – but it is believable because there’s increasing evidence that hackers are hungry for points and miles that are fairly easy to convert into cash or cash equivalents (like an iPad or iPhone). Make sure all is copacetic and if it’s not, raise a loud yell at the nearest Marriott rep.  

Should you in fact expect meaningful compensation? Nah. That rarely is on offer. If points were stolen, almost certainly they can be restored. But beyond that I suggest never holding one’s breath in expectation of real compensation for pains suffered in a data breach.

The usual compensation is a year or two of monitoring of credit and dark web activity by a namebrand cybersecurity outfit. My favorite such is when T-Mobile revealed some 15 million applicants for credit – yours truly among them – had their data compromised when a server maintained by Experian was hacked. Victims were offered free credit monitoring by, you guessed it, Experian.

What can you do to protect yourself?

Do make it a practice to get free activity reports from such as MasterCard. Closely monitor credit activity and do stay on top of accrued rewards points. If offered free credit monitoring by Marriott, sure, take it.

Accept that by now bad guys know all your private data, from Social Security to your health insurance number (yes, there’s brisk trade in health insurance documents).

So what more can we do to protect our data security? Personally,  I cannot recall the last time I booked directly with a hotel, despite their massive push for that. I use OTAs and many of them have tech company roots and, as an industry, tech has fared a lot better in regard to data privacy than have hotels. OTAs aren’t perfect but I’ll bet on them before a hotel company. In that regard I’ve liked Expedia and will soon start using Google.

But what about the nasty business of check-in where the desk clerk asks for a photo ID and credit card? I am increasingly tempted to buy a fake (“novelty) Nova Scotia driver’s license – on sale for $89 or maybe an Irish driver’s permit for 30 quid.  Use a fake name – maybe Michael Collins – a fake address and I have a good ID to flash at check in at a hotel.

Then I can ask an issuer of a credit card that I already have to issue a supplementary card in Mr. Collins’ name.  Bills continue to go to me and I would make monitoring the account a prime task because there really is no trusting the hotel.

Isn’t this extreme? Of course.  But if hoteliers refuse to take the proper precautions to safeguard our data we have to take our own precautions. And traveling under a false flag may be just the answer.

Have different suggestions on staying safe? Have at it in the comments box below. I’m at wit’s end myself, forced to cogitate on forgeries. Better ideas are welcome.

Leave a Reply

Your email address will not be published. Required fields are marked *