New Marriott Data Breach – It’s Not Their First

Marriott has suffered several data breaches over the past 10 years, so this week’s news of yet another breach doesn’t come as a huge surprise.

Marriott had, and I believe still has, one of the of the least stringent password policies.  Historically, Marriott required a password with a minimum of 6 characters with no requirement of using alpha and numeric characters or special characters.  Now, Marriott has increased the password minimum length to 8 characters, but still no requirement for alpha and numeric characters or special characters.

Marriott began emailing customers early this week advising of the breach and encouraging customers to change their password.  They have since revised the “request” to be a mandatory change. When you log into your Marriott Rewards account, you will be promoted to change your password.   Additionally, Marriott is informing members that beginning August 8 they will not be able to access their Marriott Rewards accounts from a mobile device until they go to Marriott.com and change their passwords.

As I said, Marriott is no stranger to data breaches. In April 2011, Marriott informed customers that their names and email addresses had been exposed in a massive online data breach. The April 2011 beach also involved other companies like Hilton, Target, US Bank and more who all used online marketing vendor Epsilon.

In the fall of 2011, a 26-year old Hungarian hacked Marriott Corporate computers and stole data and confidential financial information.  In this case, the man contacted Marriott and tried to blackmail them with the information he stole.  Marriott flew the individual, in November of 2011, to their offices in the US where the man was arrested by authorities and charged with several cyber-crimes and blackmail.  In this case, Marriott said they spent between 500k and $1 million dollars dealing with the breach.

In 2010, Marriott and Marriott operator, HEI notified 3,400 customers that credit card data had been breached. In this case, Marriot said that hackers accessed the payment card data between March 25 and April 17, 2010 via compromised point of sale systems.

In early 2007 Marriott informed employees that their names and addresses may have been breached but that no other personal information had been accessed.

In December of 2005, Marriott notified 206,000 customers (mainly Marriott Vacation Time Share Owners) and employees that computer backup tapes had gone missing from their Orlando, Florida offices.  The breach included personally identifiable information.  In this case, Marriott offered a year of credit monitoring to those 206,000 people impacted.

Marriott isn’t the only hospitality industry company with a history of data breaches. Other notable data breaches have involved Hilton, Hotels.com (2006, Name and Credit card data was reported stolen), Atlantis in the Bahamas (2006, Names, Addresses, Credit Cards, Social Security numbers, driver’s license numbers and bank account details for 50,000 guests was reported stolen)

Don’t think hotels are the only victims, last month JetBlue notified employees that their personal information was hacked.  Delta and American Airlines have also reported hackings in the past.

It’s up to the consumer to be a careful and vigilant with their personal information and passwords as possible.  Just because Marriott is only requiring a minimum 8 character password doesn’t mean that you only have to use 8 characters.  You should create a very secure password – most security professional recommend using a combination of alpha and numeric characters (at least 1 letter and 1 number) upper and lower cases, and special characters (@, !, etc..).

Here are some tips:

•  At a minimum, consumers should not use websites that are not secure (look for the https in the web address) and when you’re providing your personal information – including passwords – be sure that you’re using a trusted source
• If a site’s security certificate is out of date or expired, don’t use that site.
• Check out the vendor to see if they are PCI compliant – PCI is an international credit card standard meant to protect consumers personal credit card data
• Create very secure password – don’t use Password123 – and be sure to reset your passwords frequently. Don’t use the same password for all of your accounts!  If your account is hacked, and you have the same email address and password on all of your accounts, you’re very vulnerable.
• Don’t give out your password. Earlier this year, when I had trouble with Points.com, they asked me to provide my password to them via email. Don’t ever provide your password via email. That’s an open invitation to hack your account.

Here is what Microsoft recommends for creating secure passwords:

• It is at least 8 characters long
• Does not contain your user name, real name, or company name.
• Does not contain a complete word.
• Is significantly different from previous passwords.
• Contains characters from each of the following four categories:

  Character category	Examples
  Uppercase letters	A, B, C
  Lowercase letters	a, b, c
  Numbers	0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces	` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /