New year, new tactics to keep your personal info safe after Marriott data breach

Take steps to protect your information, but be prepared for when, not if, it gets compromised.
(Michael Kirkham / For the Times)

As consumers, we’re thinking about data breaches all wrong. We ask how something like this can happen. We are shocked when 383 million people, more than the population of the United States, are potentially affected by digital evil-doers. We think nothing will happen to us. And we continue on our merry way. Wrong, wrong, wrong, and especially wrong, experts say.

The Marriott data breach might better be called the Starwood breach because it was its brands that were affected. (The 383 million number was recently updated after duplicates were removed, so the number has dropped by 117 million.)

Marriott acquired Starwood in 2016. If you stayed at a Sheraton, W, Aloft, St. Regis, Westin, Element, Luxury Collection, Le Méridien or Four Points, your data may have been exposed.


That includes “people’s names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information,” the Federal Trade Commission said on its website. “For some, they also stole payment card numbers and expiration dates.”

For info on that breach, go to, or you can call (877) 273-9481.

Interviews with three experts in this field persuaded me to change my point of view on how I look at personal information, especially when it comes to travel. Here’s what they explained to me:

First, your information probably will be compromised at some point.

It’s time to switch from asking, “How can something like this happen?” to thinking, “I am pretty sure this is going to happen.”

Companies can try to block every threat, but they can’t. And those that brag they are breach-proof are asking for trouble.

Bad guys “look at those challenges and take them on…for the challenge” of trying to break through, said Randolph Morris, chief technical officer for Releventure, a digital marketing company in Mission Viejo.

Second, your information is not safe even if you were not affected by the breach.

You and your information might be safe this time, but there are many ways into your digital life.


Ray Rothrock, chairman and chief executive of RedSeal, a cybersecurity analytics platform, recalls being on hotel Wi-Fi and seeing hundreds of other devices sharing that network. “Every device has vulnerabilities,” he said. Bad guys “go after low-hanging fruit.” He said they think this way: “If I can see it, I can hack it.”

Third, you are your own best defense.

You may not be a security genius, but you can help build little fortresses around your world, Rothrock said. The idea, he said, is containment.

Today, people have about 200 digital accounts, said Emmanuel Schalit, chief executive of Dashlane, a password management app. That’s a whole lot of numbers, characters and letters to remember, because you are using a different password for each one.

Aren’t you?

If not, here are some ways to protect yourself in the absence of protection from any company.

►Use different passwords for every account you have, each expert said. That matters, each said, because if you use the same password for every account, what’s to stop the hackers from accessing every account?


Here’s how Schalit described it: “Imagine you have 200 copies of the keys to your home and every time someone comes to your house, you [give] them one. None of us would ever do that in the real world.” You shouldn’t be doing it in the digital one.

►Use a password manager. Schalit, of course, would say that. (Full disclosure: I adopted Dashlane three years ago before I knew of Schalit because it came free on my new PC. I liked it so much I upgraded to premium so I can have it across all my devices.) Morris uses LastPass, and Rothrock uses 1Password. PC Magazine offers its best list:

A complicated password may be fine, but if used repeatedly, it’s no deterrent, Schalit said.

►Change your passwords. Switching may foil hackers, and if you have a password manager, you need to remember only the password to get in to your vault. Again, secure Wi-Fi is key.

►Nag your friends and family to get a password manager. OK, Schalit didn’t exactly say you should nag, but when I told him I had tried, without success, to get family members to use this form of protection, he didn’t disagree that nagging is appropriate, so I took that as an affirmation.

►Use two-factor authentication if you can. It’s another layer of security. It keeps bad guys out by asking for a second verification besides your password. It may be a PIN you have set up, a number sent to your phone or a fingerprint.


The Times has this on one of its content management systems (and I have it on several accounts). It sends a text, calls you or asks for a pass code. One of my colleagues was trying to log in last week, reached the part about a call, a text or a pass code and was stopped cold. He had left his phone at home and had no idea of his pass code.

►Check your accounts — credit card and checking. Morris monitors his carefully every two weeks. Although this can’t prevent a problem, it can alert you to one.

►If your credit card has this feature, ask to be notified about unusual purchases. Sometimes, those who have compromised your credit card will put through a charge of a dollar or two. Once they realize they have a valid account, they will try a big charge. With an alert system — text, call or email — you can prevent false charges, although you probably will have to get a new credit card.

►Carry two credit cards when you travel — one as your main form of payment and one as a backup. Monitor these cards closely, but make sure you are using secure Wi-Fi.

►Turn on your firewall in your PC, which should block potentially problematic communications. Here is how to do that if you’re a Windows user: Here’s how to do this on a Mac:

There may come a day when there will be consistent governmental security oversight. Beginning in 2020, devices that connect to the internet must have security, mandated by legislation signed by Gov. Jerry Brown before he left office. Whether you agree that government needs to be involved is a debate for later. For now, be your own best friend. Money you spend now (a premium password manager, for instance) may keep the money you have safe.

Have a travel problem or dilemma? Write to We regret we cannot answer every inquiry.