BREAKING: Marriott and the U.S. Postal Service are the Latest Mega-Data Breaches
The Marriott hotel chain and the United States Postal Service highlight the latest data and security breaches that threaten and compromise the personal and financial information of millions of people. In lesser known and lesser reported announcements, internet search engine Elasticsearch, computer maker Dell, and the department store chain Nordstrom also recently announced data breaches.
With more than 500 million people affected, the Marriott data breach is the largest and potentially most damaging. But regardless of the size and scope, if your private personal and sensitive financial information was lost or exposed, you can be a target of fraud, phishing and identity theft.
No matter how careful you are with your data, how secure you keep your information, and how diligent you protect your accounts, you are virtually powerless to prevent someone else who has your information from losing it. So, the next best thing is to minimize your risk and make it difficult for cybercriminals to use your information.
Marriott data breach
The hack compromised Marriott’s Starwood guest reservation system. What’s more concerning is that the breach happened in 2014 and Marriot didn’t become aware of it until this past September.
Marriott owns many hotels under the Starwood brand. Starwood properties include:
- W Hotels;
- St. Regis;
- Sheraton Hotels & Resorts;
- Westin Hotels & Resorts;
- Element Hotels;
- Aloft Hotels;
- The Luxury Collection;
- Tribute Portfolio;
- Le Méridien Hotels & Resorts;
- Four Points by Sheraton; and
- Design Hotels.
The size of the hack makes it one of the largest ever disclosed. The Wall Street Journal tweeted, “The Marriott hack is one of the largest data breaches ever disclosed, measured by the number of individuals potentially affected. Only a 2013 breach of Yahoo that affected three billion people may be bigger.”
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
The release also said that the data breach included encrypted payment card numbers and payment card expiration dates.
USPS data breach
The U.S. Postal Service announced just after Thanksgiving that a flaw in its InformedDelivery service, which gives users access to view mail before it arrives at their home or business, allowed identity thieves to see what mail was arriving at users’ homes on which days. Criminals who exploited the flaw could use the information to intercept checks or important documents.
The USPS data breach exposed information of 60 million users.
ElasticSearch leaked personal information
A databased used by ElasticSearch, a technology used for powering search functions, “leaked the personal information of nearly 57 million Americans for almost two weeks.” According to ZDNet, the records in most cases, “contained personal information such as first name, last name, email address, home address, state, ZIP code, phone number, and IP address.”
In addition, the server that exposed the first database also contained a second database that appeared to contain 26 million business records. Those records included names, company details, ZIP codes, carrier routes, latitude/longitude coordinates, census tracts, phone numbers, web addresses, email addresses, employees counts, revenue numbers, NAICS codes, and SIC codes.
Hackers remove Dell customer information
Dell, the company that makes computers and other electronic hardware, announced that in early November it experienced a security breach. The company revealed on November 28, 2018 that there was, “unauthorized activity on its network” that attempted, “to extract Dell.com customer information.” That information contained customer names, email addresses, and hashed passwords (i.e. password 12345 would appear as #####). Hashed passwords can be decoded if the hacker can break the protection algorithm.
A press release issued by Dell said that, “it is possible some of this information was removed from Dell’s network, but, “found no conclusive evidence that any was extracted.”
Potential future cybercrime
Data breaches are dangerous because they can expose you private personal and sensitive financial information. But they also expose you to potential future cybercrime. Brian Krebs, a cybersecurity expert who runs the well-known blog, krebsonsecurity.com, wrote a blog item about the Marriott data breach. In the comments, he addressed a critical question: What can, if anything, the “bad guys” do with the stolen passport numbers? Krebs responded:
One aspect of these types of breaches that often gets overlooked is their utility for future phishing attacks. That’s a ton of information to have and to draw upon when you’re conducting spear-phishing attacks going forward.
E.g., find all the Black Card users with unlimited credit and then single them out with targeted phishing attacks. Do this for just-made reservations, and you could quite convincingly send recipients a notice saying the card transaction failed and that you need more information or need a different card, etc. Or, they could include the passport info to make the whole thing look more legit, and then say the notice about the rejected transaction is included in a (malware booby-trapped) PDF. Really, your limit here is your imagination as an attacker.
Rely on your own data protection
Marriott said on its website that it will provide guests a one-year subscription to internet monitoring software WebWatcher and fraud consultation services and reimbursement coverage for free. However, there’s no telling how long the hackers or the criminals to whom they sell the data will hold on to your information before using it. One year of credit and fraud monitoring may very well be insufficient.
So, take your own data protection into your own hands. For instance, before giving a company your personal information, think about a few important factors.
If you receive phone call requesting or discussing any personal or financial information, hang up and call back. For instance,
- Nuvision will NEVER initiate a call and ask you to provide sensitive personal or financial information over the phone.
- Nuvision will NEVER initiate a call and ask you to provide an ATM PIN number over the phone.
- Nuvision will NEVER initiate a call and ask you to provide an account number over the phone.
- Nuvision will NEVER initiate a call and ask you to provide the three-digit code on the back of a debit or credit card over the phone.
- Nuvision will NEVER initiate a call and ask you to provide online banking login or password.
Maintain strong and unique passwords
Do you use a separate password for every account? If not, one data breach could potentially put all of your accounts – and the information they contain – at risk. Try to create a unique password for every login, or at least for your most important accounts. Also, to help you manage multiple passwords, consider using a password manager.
Stay on top of fraud trends and news
Nuvision is your credit union resource for alerts, news, and information about fraud, identity theft, financial and data protection, and cybersecurity. Learn about fraud protection and follow Nuvision on Facebook and Twitter to receive updates when new articles are published.