Article Detail

News & Knowledge

10 Ways to Protect Yourself in Light of the Starwood/Marriott Breach

January 28, 2019

By: Drew Sorrell

Marriott International announced a massive data breach of its Starwood database. Hackers took off with names, mailing addresses, phone numbers, email addresses, passport numbers, affinity account information, dates of birth, gender, arrival and departure information, reservation dates and communications preferences or some combination of this personal information. According to Marriott officials, the stolen information was accessed from the Starwood database as early as 2014 and affects information in the company’s possession prior to September 10th of 2018.

Unfortunately, Marriott’s troubles are not an isolated event. Welcome to the new millennium.

Here are ten ways to protect yourself:

  1. Communicate with business associates

Are you traveling? The hackers now know who you are via your Marriott information. Remind your business associates how a smart hacker can exploit and spoof your email to look like it’s coming from you, and to always double check with you personally before acting on that odd request to wire money or employee information to “you” while you are traveling. Sending “emails from you” while you are traveling is a great way to prevent you learning that “you” have just ordered a wire transfer.

  1. Change your passwords

If you recycle passwords as many of us do (but shouldn’t), at a minimum change the password for every account that uses the same email address as Marriott (or any other breached account). Consider changing your passwords on a routine basis using a trigger that is easy to remember, such as daylight savings time.

  1. Change your Starwood password


  1. Sign up for credit monitoring

Credit monitoring is increasingly cheap and in some cases free. I used to recommend that this be done when you learn of a breach, but, breaches are now so common it really should be a constant in your life. Why not have it in place so that if a new account is opened, a new credit check hits or the like, you get an instant message or email when it happens so you can react!

  1. Get a password manager

One of the problems with passwords is having to remember them. With a password manager, you create a single master password (we suggest using a pass phrase that is memorable, long, and includes a number and special character or, similarly, use the first letters from the phrase as the password itself to give an almost random password), and then file your other passwords into the encrypted password manager. You won’t have to remember any passwords but the one that gets you into your password manager. Easier and safer!

  1. Download the App for your credit cards and banks

Frequently, these apps will permit you to turn on messaging to alert you of transactions or even freeze the account. Thus, if you are sitting in a meeting and get a text that “you” just bought something, you may react immediately. Many also offer two-factor authentication, where you receive a special code via text after logging in – highly recommended if available.

  1. Consider your email choice

If you are using your work email, as many of us do, for travel or other accounts, when they are breached, this email address is a trail back to you at the office. We suggest using a different email address that is generic and sanitized for such things.

  1. Good ‘ole 2FA

2FA is cool-dude speak for “two factor authentication”. When it is available, you should use it. For instance, if your bank account will permit you to set 2FA, say by requiring entry of a password, and then an email with a code that should be entered, then use it. Can you really be too careful?

  1. Be suspicious

If you get an unexpected email from “someone” you know (or especially if you do not know them), that contains a link or an attachment, think twice about clicking it. It doesn’t take much to download malicious software. Along those lines, if you accidentally click the link to open the attachment, don’t be bashful and decide “it’s probably nothing”. Reach out to your help desk folks and get them to help. Or, if at home, make sure your antivirus and anti-malware is up to date, then run it.

  1. Finally

If you are still reading this, then your data thanks you and reminds you to call your loved ones, especially the aged ones. They love to hear from you and it’s the right thing to do. Oh, and while you are catching up with them, make sure that they are also being safe with their data. Help them to understand these issues and help them be safer.

Hackers are smart. Try to be smarter with extra thought and security applied to all your online activity.


Drew Sorrell's practice focuses on complex commercial issues, relating to both litigation and contract/policy drafting.

Drew has years of experience litigating business matters, intellectual property/patent infringement disputes, data breach/privacy issues, wire fraud (spoofing/spear phishing), business torts/disputes, insurance coverage, personal injury and employment litigation. Likewise, he has significant experience drafting and negotiating software licenses (SaaS), Internet service provider agreements, data privacy/breach policies and procedures, employment/services agreements as well as the indemnity and insurance coverage related to those agreements.

Initially, Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan primarily in their litigation department. After spending some time as an assistant county attorney responsible for litigation, he joined Lowndes and is currently chair of the firm’s multi-discipline Cybersecurity, Privacy & eDiscovery Group.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is also currently serving as chair of the Orange County Bar Association Intellectual Property Committee.

Drew has argued to the United States Court of Appeal for the Eleventh Circuit, at the federal level, and the Fifth District Court of Appeal at the state level. He is admitted to The United States Supreme Court Bar, as well as the Florida, New York and District of Columbia Bars. He is admitted to practice before all federal district courts in Florida as well as the Southern District of New York.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him very busy in his spare time.

Meritas Law Firms Worldwide logo
Do Your Part Logo