Marriott Announces Starwood Hotels Data Breach
PSCU Risk Analytics is currently researching the announced breach of the Starwood Hotels guest information database.
We are in the very early stages of our investigation. Currently, Marriott (parent company of the Starwood Hotel chain) has indicated exposure of the following:
- Name, gender and date of birth
- Mailing and email addresses
- Phone number
- Passport number
- Starwood Preferred Guest account information
- Arrival and departure information
- Reservation date and communication preferences
Marriott has stated that payment information was protected by encryption technology, but have not ruled out the possibility of the encryption keys being exposed as well.
Data Exposure Timeframe
The exact timeframe of the data exposure is yet to be confirmed, however, there are indications the timeframe of exposure started sometime in 2014 and concluded in September 2018. With that suggested timeframe, it is noteworthy to point out a previously disclosed data breach by Starwood of their point-of-sale (POS) terminals, with exposure dates of November 2014 through November 2015.
Starwood hotel brands include:
- W Hotels
- St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotels & Resorts
- Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest program
You can view the press release from Marriott here
Member Alert: Phishing Scam Details
September 10, 2018
Pima Federal Credit Union has been notified about a recent phishing scam. Members have reported receiving a phone call from a person claiming to be a representative from Pima Federal requesting personal information. Please be advised Pima Federal will never contact you and request personal identifying information including: date of birth, social security number, debit card PIN, etc.
If suspicious behavior is suspected on your account, our team may contact you to verify the validity of the transactions in question; however no personal identifying information will be requested of you.
If you receive a call from an unknown source claiming to be a representative from Pima Federal, it’s best not to provide any personal and/or account information over the phone. Advise the caller you will be contacting Pima Federal directly and give us a call at (520) 887-5010.
Let's Protect Each Other!
Our members and the credit union as a whole continue to see fraud related activity and suffer losses, generally with no insurance coverage or safeguards outside of prosecution. The suggestions below are provided to reduce your exposure to becoming a victim of a fraudulent scheme or possible identity theft.
Member Guide to Fraud and ID Theft
At Pima Federal, part of our mission is to “Protect Our Member-Owned Assets”. If you have experienced identity theft or fraud, here are some resources to help you protect your identity and credit history.
Contact the appropriate law enforcement agency for your residence. (Non-emergency phone numbers listed)
- Tucson Police Department – 520-791-4444 (8am–6pm)
- Pima County Sheriff – 520-351-4900
- Marana Police Department – 520-682-4032
- Oro Valley Police Department – 520-229-4900
- Springerville Police Department – 928-333-4240
- Eagar Police Department – 928-333-4127
- Apache County Sheriff – 928-337-4321
Replace any lost identification
- Arizona Identification
- Social Security
- Resident Alien or Green Cards
- Military ID
- Report to your base Physical Security Officer or go through your chain of command
Credit History/Identity Theft
Contact the three credit bureaus to place Fraud “alerts” on your credit report
Remember to visit www.annualcreditreport.com to get copies of all three credit reports in 30-60 days to review for free.
Change any compromised passwords. For example: computer, home banking, Pima 24/7, personal identification number (PIN) for cards, etc.
If you close your checking account and/or VISA Debit card and open new ones due to fraud or theft, remember to update your new account information with the following entities as necessary:
- Employer’s Payroll/HR department to change your direct deposit information.
- All companies that take recurring automatic debits by electronic check, ACH, or debit cards to update your new account information or card number.
- For example: gym membership, Netflix service, TEP bill, bill pay service, etc.
Courtesy Notice Regarding Equifax Data Breach
As a courtesy to our members, we are providing a briefing on the Equifax Inc. breach and suggestions for increased peace of mind.
On September 7, 2017, Equifax Inc. announced that hackers had breached some of their systems through a website vulnerability, and data had been compromised on roughly 143 million customer records. Equifax indicates the records included Social Security numbers, birth dates, address and driver's license numbers. The unauthorized access occurred from mid-May through July 2017, based on Equifax's investigation. Further information indicates that a smaller number of credit card numbers and dispute documents were also accessed (i.e. fewer than 500,000 combined), which contained personally identifiable information (PII). Those consumers will receive direct mail notices. The investigation is largely complete, yet not concluded. As we learn more information, we'll share it through our website.
In response to the breach, Equifax Inc. has established a website at www.equifaxsecurity2017.com to assist consumers in learning whether their records were accessed and enroll to receive a free, one-year subscription with TrustID Premier, an identity protection company owned and operated by Equifax.
Subsequent reports have raised questions about the accuracy of the website tool, and the most current information indicates that any person with a credit history should take action as if they were affected.
Pima Federal's primary credit bureau relationship is with Experian, rather than Equifax Inc., yet as with most all financial institutions, bureau reporting includes Experian, Trans-Union and Equifax Inc.
Suggestions for increased peace of mind include:
- Use caution with your current security questions and information; update as needed.
- Use multi-factor authentication wherever possible.
- Regularly review your deposit and loan statement information, and check online banking transactions frequently for any unauthorized activity.
- Be aware if you stop receiving mail and/or timely statement information.
- Monitor your credit report regularly.
- Consider adding a lock or freeze on bureau information, along with a PIN. (Consult with the bureau agencies for guidance.)
Fraudulent Cashier's Checks Continue to Circulate Across the Country
Pima Federal Credit Union continues to warn consumers and businesses about a national scam targeting parties selling items on Craigslist (e.g. “overpayment scam”) and individuals applying for jobs online (e.g. office assistant or personal assistant jobs, car wrap ads, or other similar employment) through Craigslist and most recently, Indeed and ZipRecruiter. The employment scammers send the items primarily by 2-day or 3-day Priority letter through the United States Post Office, delivered to consumers across the country. In the envelope, consumers are receiving fraudulent cashier's checks (blue, usually marbled in appearance, though variations are also circulating), allegedly from Pima Federal.
The fraudulent cashier's checks are for amounts generally between $300 and $8,660, with most under $5,000, (e.g. $3,850 and $4,980.50 are common amounts, with other amounts reported) and come with instructions either by a letter or by text to deposit the check to your account then send excess funds to specific individuals (not usually the remitter of the fraudulent check) using Western Union or pre-paid cards (e.g. iTunes or other “untraceable” cards).
The Craigslist scam involves texting to confirm the "payment" was received and the check hold was released. Instructions will be provided to send the overpayment by “wire” (or text the pre-paid card code) back to the scammer. Payment is made with a fraudulent cashier's check.
If the consumer follows the instructions, they become victims when the fraudulent cashier's checks are returned as "altered / fictitious."
Consumers can protect themselves by asking their financial institution to place an extended hold on the check (i.e. doubtful collectability), and/or contact our Contact Center at (520) 887-5010 to verify whether the check is fraudulent.
We may ask you to provide your daytime contact number, a photo copy of the check, the instructions, and copy of the envelope mailing label by scanning the information to Pima Federal’s e-Services group to assist in the investigation. Information you provide to Pima Federal may be forwarded to law enforcement. Law enforcement may ask for any original documents you may have.
Protecting consumers from becoming potential victims of this scam is important to Pima Federal.
Staying Safe and Secure with Your Mobile Device
We love that our members are using mobile banking features more and more, where taking care of financial needs are often only a few steps, clicks and swipes away! In order to keep your account information safe, here are a few mobile device security tips:
- Password protect your mobile device and set your device to auto lock.
- When not in use, store your mobile device in a secure location.
- Be cautious when using unsecured, public Wi-Fi.
- Keep your mobile operating system and mobile software up-to-date to ensure the highest level of security.
- Install a security app on your mobile device.
- Avoid storing passwords and other sensitive information on your mobile device where it could be discovered if lost or stolen.
- If you lose your mobile device, immediately contact your carrier to block or suspend your device.
DocuSign Data Breach - Information for our Members' Peace of Mind
On May 17, 2017, DocuSign confirmed a data breach occurred at one of their computer systems. The data stolen was isolated to DocuSign established account customers and their user email addresses. According to DocuSign, the breach did not extend to individuals who were simply providing electronic signatures. Unless you had a DocuSign account established as a customer of DocuSign directly, your data was not compromised by a document you signed at Pima Federal. DocuSign
has a Trust Center and provides information on personal safeguards.
Your safety and security are top of mind at Pima Federal.
Top Priorities for 2017
At Pima Federal, keeping our members and member assets safe is one of our highest priorities in this ever-increasing digital age. Security is top of mind, and fraud is on the rise internationally. That said, we want to ensure our members have easy access to pertinent security information.
To protect against fraud and stay abreast of fraudulent schemes, the FBI has added a comprehensive section you can easily access called "Scams and Safety
One of our favorite security resources published by the FBI is the Fraud Alert Poster
. The document is a great way to quickly check the alerts we all need to protect ourselves from and stay safe.
We continue to see scams in the area of online dating, Craigslist classified ads, and online job opportunities that prove to be fraudulent. Please research before you transact, and use your intuition and best judgment to protect yourself and your family from predatory behaviors. With tax season coming up, we want you to know that the Internal Revenue Service (IRS) has been targeted for fraudulent scams.
The IRS has recently issued a series of alerts regarding an increased surge in telephone, email and text scams demanding money or personal information from taxpayers. It is important to know that the IRS only utilizes the U.S. Postal Service mail to communicate with taxpayers. If you receive another form of communication stating that they are from the IRS, you are hearing from a scammer.
The scammers will state they are with the IRS and provide a fake identification number. The scammers can become very aggressive in demanding immediate payment to a prepaid debit card or for a wire transfer. They may threaten you with a lawsuit or being arrested if you do not submit an immediate payment. None of these actions will happen when you ignore the demands. Some of the most recent scams include demands for:
- Payment of taxes related to the Affordable Care Act
- Payment of taxes targeting students and parents for school related taxes
- Telephone calls to immigrants threatening deportation unless they immediately pay non-existent taxes
- Telephone calls indicating the person has your tax returns and need to verify information
- Phishing emails that appear to be official IRS letters asking to disclose information
With knowledge and a bit of savvy, you can successfully protect yourself and your assets.
If in doubt, Pima Federal's Risk Management Department is available for you by calling our Contact Center at (520) 887-5010 and asking to speak with a member of the Risk Management Team.