Another Marriott Breach, Ho Hum

By Robert McGarvey

In other news on March 31, Marriott disclosed what it called a “Property System Incident.”

We interrupt that to report a shoplifting at a dollar store, cutting now to the live police feed of this dramatic story.

You probably missed the Marriott news because it was an otherwise busy day with acres of – grim – Covid-19 reporting and with projected US death totals now reaching into six figures, shortages looming for ventilators, inexplicable mask shortages, and, well, who really had the bandwidth to process yet another report of a hotel data breach?

Not us.

Marriott doubtless hoped you would miss it because the company’s statement is calculatedly blah.  It says just about nothing and that’s tipped off by the word “incident” in the headline. Meaning absolutely nothing.

But the Marriott statement does note the personal info of about 5.2 million Marriott loyalty members apparently was compromised in the “incident.”  It elaborated:

“At this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved:

* contact details (e.g., name, mailing address, email address, and phone number)

* loyalty account information (e.g., account number and points balance, but not passwords)

* additional personal details (e.g., company, gender, and birthday day and month)

* partnerships and affiliations (e.g., linked airline loyalty programs and numbers)

* preferences (e.g., stay/room preferences and language preference).”

Marriott added: “Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

The real take away from this: the continuing indifference of the hotel sector to protection of guest data. How many breaches have to occur – from Trump hotels to Starwood and Hilton and just about everybody else? How many stories have to be written? Somebody needs to say, this is a problem.  It needs to be fixed.

Actually we’ve been saying all for that for some years now and nothing has changed.

We need a new campaign.  Complaining about hotelier incompetence is not enough.

Real change will start with us. 

We share culpability. We put up with it.  For some time I have suggested that probably the only safe way to stay in a hotel is with a bogus travel credential (a novelty Irish driver’s license for instance) and using a credit card paired to the bogus ID. Then annually burn that identity and create a new one.

Shop for ID online. Here for instance.  Note: I am not suggesting using any such ID to drive a car or any similar activity – many of which might be illegal.  Rather, I am suggesting we take a trick from the oldime restaurant critic’s playbook – from the era where they practiced anonymity – when every big newspaper and magazine handed out credit cards in bogus names to their critics so they could make anonymous reservations. As long as the bills got paid, no harm done.

We’d be a lot safer in hotels if we did something similar today.

A lot of work? Yeah. But so is the persistent credit monitoring we all do because we have been involved in so many data breaches, many involving hotels and restaurants.

In Marriott’s defense this breach was detected quickly by hotel standards – often years go by. In this case, just months.

But worrisome is that two employee accounts were apparently the tools.  And that they were used to perpetrate large amounts of data exfiltration that should have been detected and stopped quickly.  Screens against substantial data exfiltration just are good practice in well run organizations.

Not apparently in Marriott.

So what should you do now?  Paul Bischoff, privacy advocate with Comparitech, said: “The biggest threat Marriott guests might face as a result of this breach is targeted phishing. Guests should be on the lookout for targeted messages from scammers posing as Marriott or a related company. Don’t click on links or attachments in unsolicited emails. Check email addresses and don’t just trust display names. If you’re uncertain as to whether a message is legitimate or not, ask Marriott using contact information found through Google.”

Remember that. If you are among the 5.2 million you will begin getting targeted phishing emails as soon as the data sells on the dark web. And it will go on for years.

That novelty driver’s license is making ever more sense? 

It’s up to us to protect ourselves.  It’s become that obvious.