Marriott Rewards Acknowledges Attempt to Hack Members’ Accounts
Marriott and JetBlue have admitted that there were hack attempts; Expedia is reporting more credit card fraud, and HomeAway has been coping with an epidemic of phishing incidents. The state of online security and privacy is getting very dicey.
Marriott is cutting off access to Marriott Rewards members accounts from mobile devices beginning Thursday, because of a hack, until loyalty program members change their online passwords.
Marriott has been contacting Marriott Rewards members, urging them to change their passwords because “there have been recent attempts made to gain unauthorized access to a small number of Marriott Rewards members’ online accounts.”
Update: Mariott isn’t saying how extensive the breach of Marriott Rewards ended up being. Marriott spokesperson Laurie Goldstein says: “Our IT department has told us that it is virtually impossible to know how many, if any accounts, were breached. They would not have had access to any credit card numbers or social security numbers. We have reached out to members to change their passwords proactively as a preventative measure.”
In an email, Marriott is informing members of the loyalty program that beginning August 8 they will not be able to access their Marriott Rewards accounts from a mobile device until they surf to Marriott.com and change their passwords.
In response to an inquiry from Skift, Marriott states:
“There have been recent attempts made to gain unauthorized access to a small number of Marriott Rewards members’ online accounts. Once we learned of the situation, we immediately launched an investigation to determine the cause and extent of the unauthorized access.
“Our Data Privacy and Protection team has implemented safeguards to block these attempts and maintain the ongoing security of all member accounts. We are communicating with our Marriott Rewards members and providing them with resources and guidance as to how they can further protect their accounts.
“We take this matter very seriously as we have a long-standing commitment to protect the privacy of the personal information that our Marriott Rewards members entrust to us.”
Marriott doesn’t provide any detail that accounts were actually breached, but there is a strong implication that they were.
The state of online security has been growing ever more tenuous.
JetBlue recently provided additional details of a hack into servers that housed confidential information regarding its employees — and the breach went undetected for an extended period.
Here’s the full text of the email that Marriott is sending to some users about the vulnerability of their Marriott Rewards accounts:
“Dear Marriott Rewards Member,
The security of your Marriott Rewards® account is of the utmost importance to us. There have been recent attempts to gain unauthorized access to a small number of members’ online accounts. Although your account was not included in these attempts, *as a precaution, we are requesting you to visit Marriott.com and change your password as soon as possible to assist us in ensuring the security of your account.*
“As of August 8th, 2013 you will not be able to access your online account from your mobile device until you have changed your password. *Please change your password on Marriott.com from your desktop; updates cannot be made on Marriott mobile applications.*
“1. To change your password log into My Account on Marriott.com, visit your Profile page and select “Change Password”. 2. Select a unique password, at least eight characters long, that is not used with any other online account you may have. 3. Security experts urge that a more secure password contains at least one number.
“Our Data Privacy and Protection team has been working diligently to implement safeguards to block these attempts and maintain the ongoing security of all member accounts.
“These types of online attacks become possible when individuals use the same email address and password combination for multiple online accounts. The email address and password combination becomes more susceptible to being collected via external sources and then used in an attempt to gain unauthorized access to other online accounts, such as your Marriott Rewards account.
“If you have any questions, please call Marriott Rewards Guest Services at 855-501-6802 for assistance. We take this matter very seriously as we have a long-standing commitment to protect the privacy of the personal information that our guests entrust to us. Thank you for your prompt attention to this important notice.
Marriott Rewards Guest Services”