Why Marriott's ID Theft Protection May Not Be Enough

Victims of the hotel's massive data breach will need to take additional steps, experts say

Marriott logo GettyImages-1066786252

Marriott, which recently announced a massive data breach of its hotel reservation system, is offering a year of free ID theft protection to the 500 million guests whose personal data was stolen.

While identity theft and privacy experts say consumers should take advantage of the service, called WebWatcher, they warn that it also has significant limitations. They are particularly concerned about the relatively short window of coverage, since identity thieves often wait to use stolen data.

As a result, these experts say consumers need to take additional steps to make sure they’re protected. (More on that below.)

WebWatcher offers a package of services, dark web monitoring and ID theft insurance among them, that are among the key elements in effective ID theft protection, says Eva Velasquez, president and CEO of the nonprofit Identity Theft Resource Center.

Notably, however, WebWatcher does not offer a credit-monitoring service to alert consumers when new accounts have been opened in their name, which most identity theft services do include, according to government research.

The personal data exposed by the breach includes names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences, Marriott said.

More on Identity Theft

For some people, the compromised information also includes payment card numbers and payment card expiration dates, but the card numbers were encrypted, the hotel chain said.

According to Marriott's breach announcement page, WebWatcher is provided by Kroll, a subsidiary of Duff & Phelps, a corporate advisory firm. (You can reach it via a link on Marriott's breach announcement page.)

Here's what you need to know about WebWatcher, its features and limitations, and what else you should do about the potential threat to your personal information, including your passport information.

Dark Web Monitoring

WebWatcher scans criminal sites on the so-called dark web, a digital black market, where criminals often trade in stolen personal information.

Users who sign up for the service must input their personal data to have it monitored. The service will search for suspicious activity for one passport number, up to two email addresses, a Social Security number, up to three phone numbers, up to five credit and debit card numbers, up to five bank account numbers, and up to five medical ID numbers.

The service will monitor your information for a year from the time you sign up. If it discovers possible identity theft, users will receive a notification by email.

Justin Brookman, director of consumer privacy and technology policy for Consumer Reports, says consumers should consider using the dark web monitoring service being provided.

“I wouldn’t pay for dark web monitoring, but since it’s free and doesn’t require consumers to provide a credit card number to automatically re-enroll at the end of the free use period, it can’t hurt to have it,” he says.

However, he counsels that consumers who use the service need to remain vigilant.

“Dark web monitoring products can sometimes offer a false sense of security and aren’t particularly effective at protecting your data.”

Rather, what they do, Brookman says, is alert you if your data is out there. Bear in mind, if your data turns up in a dark web scan, it means the crooks already have it and you can't get it back from them.

Identity Theft Insurance

The policy included with WebWatcher is provided to U.S. residents by Allianz, a global insurance company.

Velasquez recommends that consumers also check to see whether they already have ID theft insurance, which is sometimes available as a rider to your homeowners insurance, as a part of your employee benefits package, or included in the perks offered by a member organization, such as a union. If you do, she says, examine both policies to see which is more robust.

Here is what the WebWatcher ID theft insurance offers:

You’re protected for one year: Allianz will cover claims for one year from the time the breach was announced on November 30. Any ID theft events that occur outside of the window will not be covered. That could be a concern since the threat stemming from this breach will not go away after your coverage window closes.

"It's static information, it doesn't change. That data is threatened in perpetuity," says Velasquez.

You have 90 days after you discover that your identity was stolen to make a claim.

Financial loss coverage is limited: ID theft insurance coverage is geared toward paying fees incurred in fixing your identity—loan re-filing fees, travel, and notary costs, lost wages. Allianz says it will cover up to $1 million for these expenses.

However, the coverage for actual financial losses—say, if a criminal raids your investment accounts—is more limited: up to $10,000.

While most banks are covered for fraud and can likely help you recover losses due to identity theft, other financial products, such as cryptocurrencies and some investment accounts, most often won’t be. Check to see if your investment firm offers protections for funds lost due to fraud.

Legal fee coverage is low: The insurance covers legal fees, but only at a rate of up to $125 an hour. Fees in excess of that rate need to be approved in advance.

According to Chi-Chi Wu, an attorney at the National Consumer Law Center, it will be tough to find an attorney to work at that rate, especially in California and the Northeast.

Filing a claim can be frustrating: "It was an absolutely maddening process,” says Marc Groman, a former senior advisor for internet privacy in the Obama White House who had his own ultimately successful experience with another ID theft insurance company to resolve his tax fraud claims. Overall, ID theft insurance products have very low payouts, government research finds.

Other Ways to Protect Yourself

Monitor your credit report: Since it isn’t offered in WebWatcher, you’ll have to either sign up for another credit-monitoring product or request a copy of your credit report from each of the major credit bureaus. By law you’re entitled to a free copy from each major credit bureau once a year.

Freeze your credit: This is the most effective way to preemptively guard against criminals opening fraudulent accounts in your name.

"Plus, it's free for everyone in the United States now," says Velasquez.

The best way to do it is by contacting the big three credit bureaus online: Experian, Equifax and TransUnion. Freezing your information at just one won't offer the fullest protection possible.

Seek help from experts: WebWatcher offers a call center staffed with licensed investigators. It is open seven days a week and can provide advice in multiple languages. However, the hotel chain says right now consumers will need patience, due to high call volume.

Consumers can also reach out to the Identity Theft Resource Center, which offers free phone support for people impacted by a breach through its own call center at 888-400-5530.

The Federal Trade Commission also offers ID theft resources.

"Experts can help maneuver through the different circumstances, and aid in different scenarios that may arise from these breaches," says Matt Cullina, CEO of CyberScout, an Identity Protection and Data Risk Services firm.

Check your active accounts: It’s important to monitor your existing accounts for unauthorized withdrawals or charges. According to Bureau of Justice statistics, the vast majority of identity theft victims are targeted through existing accounts, not new accounts.

Manage the Passport Threat

While those steps may help protect you from financial fraud, they won't help with the threat posed by the theft of passport numbers.

"The passport information that may have been exposed is pretty significant," says Cullina.

Velasquez says that if consumers receive a direct communication from Marriott (an email or a letter) indicating that their information, including name, address, and passport number was compromised, they should consider renewing their passports. The new passport would receive a different number.

Marriott is in the process of contacting clients directly. In the meantime, the hotel chain says it's working on a solution to help its guests who want to change their passports and may cover the expense of doing so.

"As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident," a Marriott spokesperson told Consumer Reports. "If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport."

Cullina supports the move. "That's the right thing for Marriott to do, to step up and cover those costs as well," he says.

Passport renewal fees vary. The application fee for an adult to renew a passport book costs $110. It's $30 to renew an adult's passport card, and $140 to renew both.

Image of Octavio Blanco, editor at CR with Money CIA

Octavio Blanco

My mission: To write stories that broaden readers' horizons and offer new solutions they can apply to their lives. Who I write for: My family, my friends, my neighbors, myself, and—most important—you. My passions: Music, art, coffee, cheese, good TV, and riding my electric bike (for now). Find me on Twitter: @octavionyc