Up to 500 million people may have had their personal information compromised as part of an online security breach, Marriott Hotel announced Friday. The cyber attack occurred at Starwood hotels, which include The Westin, W and Sheraton hotels.
Gary Davis, the chief consumer security evangelist at McAfee, a cybersecurity company, spoke to Voice of America about what people can do.
Who should be concerned?
If you stayed at any of their properties, I would assume that they captured that information about you and that you could have been exposed.
What should someone do?
Go in and change your passwords. One of the big challenges we have with consumers is they tend to use the same password over and over again and so if you use the password you use for this account in other locations, then I would go in and change those passwords as well. Because what the bad guys will do is that this may not be a high-value password to them, but they know maybe it's the same password you use with your bank or a commerce site or things like that where would be higher value. So that's the first thing I would do. Go in and change your password. Super important.
What about bank accounts?
The second thing we would suggest they do is monitor your bank accounts. This is something every consumer should do as a habit. For example, literally every day I open, I have two or three accounts where I keep my money, I go in and check to see if there's anything that looks odd or suspicious in any of those accounts. It's just good hygiene because if I'm the bad guy, that's where I'm going to get the most upside.
The other thing I would do is if you're not using any type of credit monitoring, I would use that. I know that they have provided one as part of their service to help consumers out, use that one, use others that are available, but use a credit monitoring service to see if your data is coming up like on the dark web as being sold on the dark web or otherwise being compromised in the credit reporting systems.
Should I be concerned about my passport?
If they just got the passport number, which looks like the case here, they can't do much with it. I mean the passport only gives you the ability to travel. So without the actual physical document — the passport that can be machine-read at the airport — there's not a lot of value in that passport number. So again, I would look for any suspicious activities if you're a frequent flyer with an airline, see if somebody is trying to access those accounts and maybe use it to fly, but a passport number by itself is not that valuable.
Now, stuff like date of birth, address, social security number, those are the things that you can establish credit with and can be used to do fraudulent activities and things like that.
What do you do if you see something suspicious?
The first thing you'd do if you see suspicious activity either on your bank accounts or with the credit bureaus like someone is trying to get a credit card as you or something like that, contact them first, call the credit authority. Call your bank. Stop that immediately. Once you've done that, then yes, you go to the law enforcement and, and make sure that it's documented and they issue a police report.
Anything else?
I would certainly encourage that they have active antivirus running on their systems because in a lot of cases if they get your email and your password, they will use that to send you a phishing email for example. And then when you click on that, that has a strong likelihood of you downloading malware to your device and at that point they can do a lot more damage than just what they got in this particularly breach.
... If you do those three things, good password hygiene and management, checking your credit on a regular basis and make sure nothing is going on there and making sure that your system is got both the latest system patches and active antivirus running on it, you should be as well protected as you could hope to be in light of these types of incidents, regardless of if it's this organization or any other.
VOA’s Masood Farivar contributed to this report.