Unless you’ve been living in a missile silo, there’s no way you missed the news of the Marriott data breach that compromised the records of up to 500 million guests.
CNN notes that Marriott says the guests' exposed information includes their names, phone numbers, e-mail addresses, passport numbers, date of birth and arrival and departure information. For millions of others, their credit card numbers and card expiration dates were potentially compromised. Early investigation notes are pointing to Chinese state hackers as being behind the breach, although definitive results have not been released.
Marriott says that it can't confirm if the hackers were able to decrypt the credit card numbers.
So far, so not good. The question for sports event organizers, however, is what to do about it.
The possibility that your records (or those of a group you’ve managed) were among those compromised is significant. The breach apparently has been there since 2014. Additionally, Marriott is a huge brand with any number of subsidiary hotels, including:
W Hotels
St. Regis
Sheraton Hotels & Resorts
Westin Hotels & Resorts
Element Hotels
Aloft Hotels
The Luxury Collection
Tribute Portfolio
Le Méridien Hotels & Resorts
Four Points by Sheraton
Design Hotels that participate in the Starwood Preferred Guest program
Starwood-branded timeshare properties
Let’s face it: that’s a lot of hotels and chances are, you’ve been in one or more of those and so have your athletes and their families. In fact, you may have used them as your preferred properties. So, of course, the question becomes what to do next.
The great folks at Fortune Magazine have outlined some steps to take, and this is critical information you can pass along to your teams and athletes as well:
First, if you stayed at a hotel with the Marriott name, you’re safe, since those systems were on a separate network. (But you know what? You should mention it to your participants anyway, as they may have stayed in other hotels, though not under your watch).
Affected hotels do include all those mentioned above in the bullet-pointed list. If you stayed at one of those hotels, Fortune says you should do the following:
Step one: Check your accounts for fraudulent activity. Most Americans don’t keep close tabs on their checking and savings balances and don’t examine every item on their credit card bill — and hackers count on that. (Don’t just look for big charges, either; check for pesky little $15 or $20 dings that might otherwise pass unnoticed each month.)
Step two: Set up credit monitoring to ensure no one is using your personal information. Marriott is offering guests a free one-year subscription to WebWatcher, which monitors Internet sites where personal information is shared and alerts consumers when their information is detected.
It’s also not a bad idea to sign up for a credit monitoring service, such as Equifax’s TrustedID Premier (though Equifax had a notable data breach of its own in 2017) or CreditKarma.
Step three: If you’re especially worried about identity theft, consider a credit freeze, which prevents new credit from being issued without your direct permission.
“Your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring,” notes the U.S. Public Interest Research Group.
Step four: Keep an eye on non-financial accounts, like your Starwood Preferred Guest membership, for any suspicious activity, such as reward points being used. Alert Marriott immediately if you see this occurring.
(Seriously – even though it may not concern you quite as much as your credit card, you need to keep an eye on this. There are black markets for things you might not even know about, like frequent flyer accounts and preferred guest points).
Step five: Consider applying for a new passport, especially if you’ve stayed at one of the affected hotels while traveling internationally. This could take several weeks (a routine processing time is 4-6 weeks; expedited processing is 2-3 weeks). Before you do this, though, be aware that once you report your passport as lost or stolen (or, in this case, potentially compromised), it will immediately become invalid and can’t be used for international travel.
Step six (and this is crucial): It’s time to change your passwords again. Yes, it’s a pain, but it’s a critical step, especially if you’re using the same password on multiple sites.
Fortune notes that stock for Marriott dropped 5.6 percent in pre-market trading in the wake of the revelation – something that probably isn’t top-of-mind for sports planners – but it has served to let Marriott know people are disappointed by this enormous lapse.
Marriott personnel say they understand and are aware of the gravity of the situation – and of the inconvenience to those who have stayed at its properties.
"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward," said CEO Arne Sorenson.
Marriott said it has begun e-mailing guests affected by the breach and has created an informational website. There's also a call center; for U.S. customers, that call center can be reached at 877-273-9481. Customers in other countries should use the informational website to find their call center. E-mail can be sent to incidentsupport@kroll.com.
Unfortunately, things might get worse for Marriott before they get better. CNN notes that because the hack involves customers in the European Union and the United Kingdom, the company might be in violation of the recently enacted General Data Protection Regulation. (To read about how GDPR could affect sports events, go here).
Mark Thompson, the global lead for consulting company KPMG's Privacy Advisory Practice, told CNN Business that hefty GDPR penalties will potentially be slapped on the company.
"The size and scale of this thing is huge," he said, adding that it's going to take several months for regulators to investigate the breach. He said there's a trend for class action lawsuits in these cases.
For now, it’s best to adhere to the maxim of ‘maximum exposure with minimum delay’ policy. Inform your athletes and their families. Make sure they have a list if the six steps shown above. Let them know about Marriott’s informational website and the steps it has taken. Apologize for the inconvenience and let them know you’re staying on top of the situation as well.
It’s an unpleasant subject but it won’t improve by being ignored. Taking the steps now can work to restore trust for future events.