massive hotel data breach

Are you a person of interest???

This is Part II of a 2 Part Blog…click here for Part I

The massive Marriott/Starwood breach in which 500 million consumers were affected has obvious cybersecurity and privacy ramifications. It also has another rather dark underside.

The breach is believed to be state-sponsored. The state sponsored hackers are the same ones believed to be involved in other alarmingly large breaches such as the Anthem breach and the Office of Personnel Management. These records aren’t currently for sale on the dark web. Why? Because the data is likely being used to seed a data warehouse of identity details for large scale nefarious data mining.

Unfriendly nation-states can use the incredibly detailed identity analytics from these breaches to profile you. And, if you are a person of interest, don’t think that they can’t use this information to compromise you.

For some 327 million of the guests the breach contains detailed information which includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

What can you expect? What can you do?

  1. Immediately change your Starwood/Marriott password to a unique, complex password not used anywhere else
  2. If you reused the breached password on any other site, immediately change it to a unique, complex password you haven’t used (and won’t use) anywhere else
  3. When possible, choose two factor, or multifactor authentication to goods/services/applications and resources that provide that option. It will reduce the chance of impersonation.
  4. Leverage a reputable password vault as a store for your unique, complex passwords
  5. Expect new and better (more detailed) phishing attacks from the breached PII details extracted from the database
  6. Expect nation-states to potentially use this information as leverage if you are a person of interest to them

Your corporate data is at risk, your customer PII data is at risk, your administrative credentials are at risk. Passwords alone are not enough.

Multifactor authentication (MFA) is one of the best methods to protect against online phishing, fraud, impersonation, man-in-the-middle attacks and more.

To have some semblance of a proper security posture, you must assume you are already breached. You should feel some urgency to aggressively defend your user base. MFA doesn’t have to be difficult to implement.

Optimal IdM has a robust MFA offering that has been named “Best Multifactor Authentication Solution” in the 2017 Government Security News (GSN) Homeland Security Awards (HSA) Program under the Cyber Security Products and Solutions category. Contact us at sales@optimalidm.com for more information.

Optimal IdM

Optimal IdM offers on-premises, hybrid and dedicated, single tenant cloud solutions. We can have most customers up and running within a few days — sometimes in just a few hours. Optimal IdM supports encryption both in transit and at rest. We provide a full identity solution with concierge services — no federation expertise or specialized skills needed by you. We’ll bring our expertise to your identity issues and help future proof your investment.

For more details, contact us to talk through your project at sales@optimalidm.com.


  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.