Marriott Data Breach: How to Protect Yourself
Quick summary
Update: Some offers mentioned below are no longer available. View the current offers here.
Marriott announced earlier Friday that as many as 500 million guests of Starwood hotels may have had their data stolen by hackers. This was no garden-variety hack. Credit card data may have been stolen along with passport data, names, email addresses, dates of birth and stay history. Data breaches are nothing new if you pay attention to the news. In fact, just last week Amazon, one of the largest merchants in the world, disclosed a breach of customer data, though on a smaller scale. Today, we again find ourselves asking the same question:
How Do We Protect Ourselves?
There are a number of ways you can protect yourself from losing your money, miles and mind with this most recent hack, and some are easier than others. Here's a quick look at some ways to keep your personal data safe:
Sing Up For Free Protection From Marriott
Marriott hired a firm called Kroll to provide a product called WebWatcher to anyone who had a Starwood reservation. However, the website setup for this purpose doesn't appear to require you to prove you had a reservation during the period where data was leaked. Here's what Kroll says WebWatcher offers:
WebWatcher monitors internet sites where personal information is shared and generates an alert if evidence of your personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries.
For residents of the United States, enrolling in WebWatcher also provides you with two additional benefits: (1) a Fraud Loss Reimbursement benefit, which reimburses you for out-of-pocket expenses totaling up to $1 million in covered legal costs and expenses for any one stolen identity event. All coverage is subject to the conditions and exclusions in the policy; and (2) unlimited access to consultation with a Kroll fraud specialist. Consultation support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used, including investigating suspicious activity that could be tied to an identity theft event.
What's my opinion on WebWatcher? Well, this is the first time I've come in contact with them. They do have an A+ rating with the Better Business Bureau. There are a few complaints on their website, but that's not abnormal.
Purchase Identity Protection
My father has never heard of identity protection, but it's a fact of life our generation can't avoid. Things may look more secure by the time my children are entering the credit card world, but for now, having some extra protection can be prudent and doesn't have to break the bank.
If you're a Costco member or hold the Costco Anywhere Visa® Card by Citi, you may want to consider CompleteID, a partnership between Experian and Costco. Costco Executive Club members pay a reduced rate of $8.99 per month. The service provides identity protection along with other services like insurance against fraud (up to $1 million) and credit report monitoring.
If you're not a Costco member, you can sign-up directly with Experian. They have different products from the Costco partnership, starting at $9.99 per month.
Lifelock is another popular service that starts at $9.99 per month, though the price goes up after the first year.
Change Your Password
Sounds simple, right? But be honest: when was the last time you changed your Marriott Rewards password? You should change your Marriott/SPG password immediately, and ideally this should be unique from passwords on other online accounts. While you can do this manually, we recommend a password manager. 1Password is my favorite, though there are several others out there. These programs allow you to create strong, unique passwords for all of your accounts, while you remember just one password to login to the secure app of your choosing.
1Password charges roughly $5 per month, and you can store and protect all the passwords for your entire family. 1Password also works with biometric features on the Apple platform like fingerprint and FaceID, adding another level of security for your passwords. Hackers are less likely to be able to figure out a unique, 25-character password with letters, numbers and symbols. In an odd bit of symbolism, the company Marriott hired to monitor your identity for free won't let you create a 25-character long password, instead allowing a somewhat less secure 14-digit version.
Monitor Your Activity
At TPG, we hear frequently from readers who have had points stolen. Our very own Summer Hull recently dealt with a thief clearing out the Ultimate Rewards account of one of her family members. Even though most of these stories have a happy ending (where the program puts the points back in the account), it can be a major hassle. And you don't want to end up needing to book a last-minute flight or hotel room only to find out your account was wiped out by hackers.
Check your balances once a month (at the very least) to make sure you don't see any fraudulent activity. I'm a bit more obsessive, so I check my accounts at least once a week. A service like Award Wallet can also help track your balances for free.
Bottom Line
If you haven't been thinking about protecting your identity, the size and scope of the Marriott breach should open your eyes. There's no need to be paranoid, but there is a need to protect yourself. Along with the tips above, you can also freeze your credit for free if you want to take a more active approach on protecting fraud. And, you'll also find plenty of sites that have enabled two-factor authentication, where you use an app on you phone to help prove you're ... well, you. I'm using the Google version right now for two-factor authentication.
At TPG, we preach that your points and miles are really another currency with value, like the dollars or euros in your pocket. You probably guard your bank passwords pretty carefully, and the same holds true with your credit or debit card PIN. It may be time to start thinking about your hotel and airline loyalty programs the same way (if you're not doing this already). And you should definitely be making sure nobody is using your identity.