4 Things You Should Do to Protect Yourself From the Marriott Hack

The reason Marriott will weather the storm of 500 million records being hacked is because all of our information has already been hacked. First, we’re immune to it. And second there’s really not that much new that’s going to be out there as a result of this network infiltration.

It’s only been just over a year since the Equifax hack was disclosed. And if you’re a federal employee your address, date and place of birth, social security number, and even detailed security clearance background informationubiquitous as social security numbers and Mothers Maiden Name.

Marriott says they’ll pay the cost associated with compromised passport numbers — but only after it’s too late and you’ve already been a victim.

Krebs on Security makes the point that if there is any of your personal data that’s not already leaked out of some system, you should assume “Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold.”

There are (4) things you can do that make sense to me:

  1. Don’t use the same password on multiple sites. That’s because your passwords will be hacked, and anyone that has that password can then use it to access other accounts of yours too.

  2. Use complex passwords. The only way this makes sense though is with a password manager. And then you have to trust the security being used by that password manager.

  3. Check your credit report regularly. The best way to protect yourself against fraud is to learn about it as quickly as possible.

    That’s why by the way that AwardWallet is so useful for protecting frequent flyer accounts from fraud — you’ll know about account balance changes right away, before someone flies or stays on your miles. And that’s why loyalty programs that block AwardWallet have only themselves to blame for the cost of fraud.

    Some people recommend freezing your credit file, I find that too much of a pain in securing credit to be worthwhile.

  4. Don’t trust your email. Always assume links sent to you that you weren’t expecting are phishing efforts even if the URL you’re taken to looks familiar. Type the web address in yourself, or verify with whomever is sending it that the request you’ve gotten is real.

Multi-factor authentication is good, ideally not using text messages. But it can be a pain. Social security numbers have already been broken as a means of identification. They’re hard to replace though. We should expect many more hacks, and most people will just go on not worrying about them.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. I’d love to get your reasoning on why text messages are not a good form of two factor authentication. Seems good to me, and if dealing with a bank like Chase that uses long numbers for authentication, having the number on the phone screen is helpful.

  2. So for not trusting links…. should we trust your referral links that connect with brokers we’ve never heard of and who then get all of our personal info…just to give you $150?

  3. Joseph N. – If you are curious, I would recommend reading Time magazine’s article “My Cell Phone Number Was Stolen. It Nearly Ruined My Life” from 6/8/18. T-mobile is one of several outfits that were hacked recently, and this had serious consequences for some individuals.

  4. I froze all 3 credit report accounts. Took about an hour.
    If a new card offering I just gotta have, will worry about it then—-and sleep soundly in the interim

  5. The notion that this Marriott situation shouldn’t be too concerning because all of the stolen data was already out there is almost certainly one not to be accepted as fact.

    Additional stolen information about a person who has already had some (and maybe even a lot) of information about them stolen is useful to criminal efforts and espionage efforts (if even different) even if it seems largely duplicated. Also, if there is a lot of stolen information about there that is duplicated in large part, the price of that stolen information in the black market probably drops and becomes more available for use for such things as engaging in home break-ins of vacationing persons; emptying out their loyalty program account balances without being a highly-skilled computer hacker, engaging in credit or invoicing theft and so on.

  6. Freezing your file permanently is a no brainer now. I did a mini app-o-rama in November and it took all of 1 minute to temporarily unfreeze my experian file (and you can designate when you want the freeze to start again). You could do it every day if you want.
    As for 2-factor phone authentication – it is highly recommended by all security experts and I find most banks use texts. Unfortunately not an option for most FF accounts.
    Finally it is always a good idea not to use your mother’s actual maiden name as it is just too easy now for a scammer to locate that information on the internet. Pick another code word, or go back a few generations…

  7. @Boraxo
    +1 Great points. Yeah, I was one of the equifax victims and all was quiet until one morning in May this year where a I woke up and had alerts that someone did an app-o-rama for 4 new credit cards and submitted a change of address form to my post office so they could intercept the newly issued cards. I got that all cleaned up, then put all 3 bureaus on freeze. Since then, I have applied and been approved for 2 or 3 new cards and each time I just log into all 3 bureaus, unfreeze my file for 1 day (there is an option you can select that lets you choose to have it automatically resume freeze after 1 day so you don’t have to log back in and re freeze). it takes about 10 minutes to do all 3 and really is not a pain to do it. I sleep much better now knowing the crooks will just get denied if they apply for anything now.

  8. So many opportunities for theft yet the trend is pretty stable. However with the surge in porch piracy it seems that ordinary people are less afraid of the consequences.
    The cost for identity theft monitoring will need to get lower, and consumers and credit issuers- cards, loans, mortgages, property titles, checking accounts, 401k’s, ira’s, countless others that rely on online self service- will need to figure out a way to catch fraudsters when they attempt to pirate your ID, property title, IRA, etc. Key is to be able to catch them in the act, not 3 years of forensic investigation later. Which means that the detection methods have to take another leap up, such as using biometrics or, hot or of horrors, doing your business in person at a local branch.
    In addition to Equifax and Marriott, you can bet that many local and state agencies have been hacked but dont know it. The reason Marriott and Equifax breaches have not had larger impact is because your info has been out there for a while. Just like mail and packages have been dropped of for a long time, now, people, despite cameras everywhere, feel that the odds are in their favor to lift packages and not get caught.

  9. I promise: freezing and thawing a credit report is not too cumbersome. I have done it and three days ago went into AT&T store to switch from another cell provider. The night prior, I thought about thawing the accounts when “life happened.” So there I was and the employee asked me for my SSN. “You need to check my credit, right?” “Yes Sir,” he replied. Well, let’s see how this works. “Go ahead,” I said. Then, I began pulling up the 3 sites: TransUnion, Equifax, Experian. About 2 minutes later he said, “Sir, there is a notification that your credit is frozen. We can’t do anything until you get rid of it.” It works! I then promptly put a temporary lift, or thaw, on the file and 10 minutes later he said, “Your credit pull has no issues and we are good to go.” I’m glad I could witness the action of the freeze working and if I really wanted to save time I could have done it prior to coming in (silly me forgot), but I was only out 15 total minutes. Last thing: the only way to be proactive with your credit is to freeze it. Everything else will put you in Reactive mode.

  10. A big thanks to the folks here who’ve posted about freezing and unfreezing credit reports. Very useful info.

  11. Always ensure your device are secured, getting a good anti-virus or a sophisticated or get a good programmer, like thedarkhacker AT protonmail DOT com, to help you create firewall or hack website,devices etc

Comments are closed.