Hacked Marriott loses our confidence

CHIANG RAI, 3 December 2018: Every time we make an online payment, book a hotel, airline, or use internet banking, we act in good faith believing the systems are hack-proof. But are they as safe as they are cracked up to be?

We conveniently ignore warnings often believing it will never happen to us. We want to believe the digital era is friendly and theft-proof. Thugs and hackers might roam the earth intent on sowing chaos, but our digital space is immune to attack.

The first shock for Asian travellers was the extent of the Cathay Pacific hack and the apparent attempts to cover it up.

We imagined it was just a glitch in a system that was resolved in weeks. It had in fact extended for 10 months.

Now Marriott, arguably the world’s largest hotel group, admits its system has been hacked potentially exposing the personal information of around 500 million guests who used its Starwood branded properties going back to 2014.

My first reaction was to check if I had stayed in any Marriott’s Starwood hotels over the last four years and perhaps left behind credit card or identity data.

Fortunately I hadn’t stayed any Marriott or Starwood, or so I thought.  I actually attributed my good luck to having stayed in independent hotels, boutique properties and guesthouses.

But I was grateful for a Malware Alert that reminded me to check the various brands that could be have been hacked.

It warned that compromised data included name, address, phone, email, passport number, and date of birth. For some victims, the stolen information also included credit card numbers and expiration dates.

It continued to identify the brands that had fallen victim to the attack and told me that if I had stayed at any of the Starwood properties, “you’ve been affected.”

The brands identified were: Westin; Sheraton; The Luxury Collection; Four Points by Sheraton; W Hotels, St. Regis; Le Méridien; Aloft; Element; Tribute Portfolio and Design Hotels

With a sigh of relief I ticked off the brands promising never to stay in any of them until the hackers are safely behind bars.

Then I realised that I had signed up for Le Meridien member card locally here in Chiang Rai in 2014 to get discounts on dining.  Then another memory flash had me staying for a single night in a noisy Aloft in Bangkok also in 2014. Then I recall St Regis asked me for a credit card imprint to cover extras.

So even when you are a dedicated budget travellers who avoids super brands, upscale, further upscale over the top scale with a passion I had lapsed a couple of times.

Fortunately, the Malware Alert offers tips on how to protect yourself if you think your data could have been fallen into the wrong hands.

“Reset your password now. Change your password for any accounts that could have been compromised.

“Enable multi-factor authentication. With multi-factor authentication in place, even if cybercriminals steal your login credentials, they still won’t be able to access your account without at least one other authentication mechanism, like your phone for example.

“Monitor your credit accounts. Look for any suspicious activity.

“Consider freezing your credit. A credit freeze makes it harder to open up a line of credit under your name by restricting access to your credit report. You can lift or stop the freeze at any time. The only hassle is that you must contact each credit bureau individually to enact or remove a freeze.

“Watch your inbox carefully. Opportunistic cybercriminals know that millions of victims of any given data breaches are expecting some kind of communication regarding hacked accounts. These scammers will take the opportunity to send out phishing emails spoofed to look like they’re coming from those hacked accounts in an attempt to get you to give up personal information.”

The latest hack is on an unprecedented scale in the travel business and should be enough to sound alarm bells. Data security needs a serious rethink across the industry. We can’t take it for granted. Hotel groups, online travel agencies and airlines have to do a better job to ensure our data is protected.  If the so-called largest hotel group in the world fails to stop hackers and apparently the Marriott hack had its roots in a Starwood breach dating back to 2014, what hope do smaller hotel groups and travel firms have to keep hackers at bay?

Predictably Marriott’s chief apologised. It’s the least he could do.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and chief executive officer. “We fell short of what our guests deserve and what we expect of ourselves.”

Sorry but that’s not enough. We trusted you due to your sheer size, ability and professionalism and you let us down.

Marriott started to send emails to affected guests, starting Friday.

“We are still investigating the situation so we don’t have a list of specific hotels. What we do know is that it only impacted Starwood brands,” Marriott spokesman Jeff Flaherty told Reuters on Friday.

That is not very reassuring. Neither is the fact that hack alert sounded 8 September and it has taken Marriott up until 29 November to tell its customers.