By now, you’ve probably heard about the Starwood Hotel breach. In November, Marriott, the world’s largest hotel chain, confirmed that as many as 500 million people who made reservations at one of its Starwood properties could have had their personal information—including names, mailing addresses, phone numbers, dates of birth, passport and credit card info—stolen by Chinese hackers. Peter Aiken, associate professor of information systems at the Virginia Commonwealth University School of Business, calls the attack “the biggest threat to U.S. national security that we have ever faced” from a data breach.
Hackers successfully swiped sensitive guest data dating back to 2014, which means that if you’ve stayed at a Starwood property (such as the Weston, Sheraton, or W) since then, you could be affected. What can you do about it? Furthermore, what can businesses learn from the second-biggest data breach of all time? Kelser’s Matt Kozloski went on FOX 61 to discuss, and I elaborated on some of the ideas he shared below.
Takeaways for Businesses
Maybe the most shocking and scary revelation is that it took Starwood four years to detect the data breach. This is actually not uncommon. Hackers love getting into systems and staying undetected. They can hang out as long as they want gathering data, observing behavior, and potentially gaining access to other systems or files. If there’s a weakness in a company’s cybersecurity defenses that allows them to get hacked, chances are systems may not be in place to detect a hack either. Tools that automatically monitor access and behavior for anything suspicious are key components of a cybersecurity strategy.
Large, multinational companies are clearly not immune to cybersecurity threats, even with many resources at their disposal. Hackers know that smaller businesses likely have weaker defenses than the Starwoods of the world. The truth is no company is too big or too small to be a target.
Not surprisingly, Marriott’s stock dropped over four percent after the news came out, but that’s just one of many problems the company faces as it tries to pick up the pieces from the attack and restore its image. Consider all the fallout from this data breach:
Much of the data taken seems somewhat harmless—phone numbers, email addresses, and physical addresses. What’s the big deal? You give out this info all the time.
Hackers are very clever and can use just about any information about you for phishing attacks, leveraging personal details to make phony emails, calls, or letters more believable. Phishing is still the preferred method of hackers and the way most cyber-attacks start. Be wary of any email that’s asking you to click on a link, even if it appears to come from a reliable source. Hackers often do their research and copy the format of email notifications from companies, right down to the email signature. Look out for any obvious typos or inconsistencies, bad grammar and spelling, or red flags like an urgent request to do something (change your password, click on a link).
Hacking a hotel giant isn’t the only way hackers can get your information when you stay at hotels. Hackers have been known to set up Wi-Fi networks that have names that appear very legitimate (Kelser’s Jonathan Stone was quoted in Inc describing how we set up these networks at conferences to show how easy it is). Your phone’s hotspot is more secure, but if you must use the hotel Wi-Fi, be certain you are connecting to the hotel's official network. When checking in, be sure to get the name and login info directly from the hotel. Always be careful of what network you join, and watch out for certificate errors.
When staying at a hotel, treat even the official Wi-Fi network the same way as any other public internet connect such as a library, coffee shop, or airport. Never transmit any sensitive data across it. Trust us, that last-minute gift idea can wait. Saving a few dollars isn’t worth the heartache that comes from identity theft.