As the saying goes, when it rains, it pours. In the midst of mass layoffs of its employees, global shutdowns of its properties and executive pay cuts, Marriott International today said personal information of 5.2 million of its customers could have been stolen.
The hospitality company did not say how the theft may have occurred, or who was at fault. But it did stipulate that the data did not include sensitive details such as credit card and passport numbers.
Guests’ information—contact details and Bonvoy loyalty account numbers—were not properly safeguarded for more than a month, Marriott said.
This is the second major data breach for Marriott in recent years. In 2018, the company announced that 500 million guest records had been breached—but said the vulnerability had been inherited from the purchase of Starwood hotels in 2014.
Greg Sparrow, senior vice president and general manager at CompliancePoint, an Atlanta-area consultant for cybersecurity and risk management, advises members of Bonvoy and other hotel and airline loyalty program to “silo your risk.”
By that he means, use different passwords for each of your rewards accounts. Never use the same passwords for email and social media accounts, and certainly not for financial accounts.
“People need to realize there’s risk in storing information,” he says. “Companies need to think long and hard about what has to be saved and retained. If there’s no good business reason for it, get rid of it.”
As consumers, he urges, we should “be mindful of the type of information that’s being asked for.”
Beware the Scammers
Other security experts urge that extra caution be taken online as many of us work from home while sheltering during the COVID-19 crisis. Without the sturdy firewalls and extra layers of protection offered on company networks, remote workers are more at risk for cybertheft and scamming.
In Detroit, for instance, the FBI released a message urging local residents to avoid scammers looking to cash in on the coronavirus epidemic.
According to a local television report, FBI Detroit Special Agent in Charge Steven M. D’Antuono said he had been personally targeted by email and phone scammers, who were trying to sell protective equipment or a phony COVID-19 test.
“Through your email, your computer or phone calls, there’s a lot of phishing scams that try to get you to click on a link,” he said. “If you don’t recognize it, don’t click on it.”