Honors account information security data breach

Reply Subscribe

Thread Tools

Search this Thread

Apr 4, 2011, 9:29 pm

#31

Wally Bird

Join Date: Jul 2003

Location: Salish Sea

Programs: DL,AC,HH,PC

Posts: 8,974

Quote:

Originally Posted by cordelli

That's pretty funny. It is about as far from the reality of the relation between Epsilon and Hilton as one could possibly get.

Epsilon has access to way more than the email and first name. Way more.

But that wasn't where the breach occurred. It was the email database, not the account one. Unless you know different.

Apr 4, 2011, 9:35 pm

#32

mnredfox

FlyerTalk Evangelist & Ambassador: China

Join Date: Aug 2005

Location: DEN

Programs: DL DM/MM, UA 1K, AA Exp, HH Dia, WOH Glob, IHG Plat, Marriott Gold, NA EE, Hertz PC

Posts: 17,421

Hilton, Walgreens, and at least two other emails which I just deleted...

Apr 4, 2011, 9:36 pm

#33

Open Jaw

Join Date: Jun 2008

Location: PBI / JFK, ISP, LGA

Programs: AA, AS, AV, B6, DL, F9, WN

Posts: 866

I got an email Best Buy but no one else. I heard Marriott was one of companies too.

Apr 4, 2011, 9:49 pm

#34

cordelli

In Memoriam

Join Date: Feb 2000

Location: Easton, CT, USA

Programs: ua prem exec, Former hilton diamond

Posts: 31,801

Quote:

Originally Posted by Wally Bird

But that wasn't where the breach occurred. It was the email database, not the account one. Unless you know different.

I was not and will not comment on where the breach occured.

I was commenting on the post that said, quoting

Quote:

The compromised data shouldn't include CC information. Epsilon is a mass-mailer service, they'll have email addresses and probably names (first only ?) so the worst that's likely to happen is you get a phishing or infected e-mail.

I hope Epsilon doesn't even have the capability of storing more data even if its clients are dumb enough to send it.

I simply said that Epsilon has considerably more information from HHonors members than just first name and e-mail address as was said in the post.

The concept of Epsilon not storing any additional data other than e-mail and first name for HHonors members is not at all based in reality, nor do clients like Hilton need to "send it" to them.

Apr 4, 2011, 10:30 pm

#35

notquiteaff

FlyerTalk Evangelist

Join Date: Dec 2006

Location: Pacific Northwest

Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...

Posts: 16,843

Quote:

Originally Posted by cordelli

I simply said that Epsilon has considerably more information from HHonors members than just first name and e-mail address as was said in the post.

I assume they need more information in order to be able to target individuals based on some criteria with HHonors marketing messages.

Apr 5, 2011, 4:41 am

#36

rahosi

Join Date: Aug 2007

Location: London

Posts: 32

I have notified Hilton about the problem repeatedly. The 1st time on the 27th of September 2010. Emails, faxes, phonecalls. ZERO RESPONSE.

I KNOW it was Hilton because the barrage of filth and malicious emails (typically trying to get me to update Skype & Acrobat) started just before then.

How do I know it was Hilton? Because the unique email address I registered with them was

[email protected]

I am today contacting them, since the warning they have issued fails to address the scope of the malice. They have an obligation to fully warn recipients.

Apr 5, 2011, 5:53 am

#37

milesmilesmiles

Join Date: Jul 2001

Programs: Hilton Lifetime Diamond

Posts: 1,266

I am looking for at least 100,000 point compensation

Apr 5, 2011, 9:01 am

#38

Wally Bird

Join Date: Jul 2003

Location: Salish Sea

Programs: DL,AC,HH,PC

Posts: 8,974

Quote:

Originally Posted by cordelli

I was not and will not comment on where the breach occured.

I simply said that Epsilon has considerably more information from HHonors members than just first name and e-mail address as was said in the post.

The concept of Epsilon not storing any additional data other than e-mail and first name for HHonors members is not at all based in reality, nor do clients like Hilton need to "send it" to them.

I can't argue with you as I have no knowledge of Epsilon's architecture nor the nature of the hack.

It's possible they are lying and that personal data is compromised, but I can see no upside in trying to hide something that would inevitably become public. For now I'll accept the claim that simply names and email addresses are in the wild. That would be consistent with best practices in keeping the mailer function and server totally separate from other databases, and I would also not expect to find any cross-population of irrelevant data.

I could well be wrong.

ETA from infosecurity-magazine.com

Quote:

As reported previously, marketing company Epsilon revealed late on Friday that its opt-in marketing email database - which it operates for a number of mainly US firms - had been breached.

bolding mine.

Last edited by Wally Bird; Apr 5, 2011 at 9:12 am

Apr 5, 2011, 9:08 am

#39

Wally Bird

Join Date: Jul 2003

Location: Salish Sea

Programs: DL,AC,HH,PC

Posts: 8,974

Quote:

Originally Posted by sk3

Interesting, in agreement with Wally Bird, I've noticed for sometime that logging in to Hilton is with an unsecured URL. I've had bookmarked HH's homepage and that's where I've always logged in:
http://hhonors1.hilton.com/en_US/hh/home_index.do

The page that notquiteaff linked I'd only see when I enter my account number incorrectly, and I would always just close out of that page. But I've now bookmarked notquiteaff's link and I'll be using that from now on.

Exactly. One should not have to 'know' an alternative URL in order to bypass the insecure transmission of account & PIN. If the home page has to be non-SSL for some reason then the login should be a link and those data entry fields removed.

I mean it's not like you don't have to enter the data again (and again) to get anywhere when you drill down

Apr 5, 2011, 11:19 am

#40

cordelli

In Memoriam

Join Date: Feb 2000

Location: Easton, CT, USA

Programs: ua prem exec, Former hilton diamond

Posts: 31,801

While any further discussion is pointless, I do need to clear up that I never said or implied, nor do I believe, that Epsilon was lying, or that any other system than what they have publicly stated was compromised. I'm not even sure why that's part of the discussion, but it was never anything I said.

Apr 5, 2011, 12:57 pm

#41

Wally Bird

Join Date: Jul 2003

Location: Salish Sea

Programs: DL,AC,HH,PC

Posts: 8,974

Quote:

Originally Posted by cordelli

And I never said or implied that you said or implied Epsilon was lying. OK ?

I maintained, based on the limited information available to the public, that it was a mailing list which was compromised and that such a database did not need to contain any personal data and such data (if supplied) should be discarded when entries are made.

I agree, further discussion does seem pointless unless anyone is keeping score of the 'points'.