Honors account information security data breach
#31
Join Date: Jul 2003
Location: Salish Sea
Programs: DL,AC,HH,PC
Posts: 8,974
But that wasn't where the breach occurred. It was the email database, not the account one. Unless you know different.
#34
In Memoriam
Join Date: Feb 2000
Location: Easton, CT, USA
Programs: ua prem exec, Former hilton diamond
Posts: 31,801
I was commenting on the post that said, quoting
The compromised data shouldn't include CC information. Epsilon is a mass-mailer service, they'll have email addresses and probably names (first only ?) so the worst that's likely to happen is you get a phishing or infected e-mail.
I hope Epsilon doesn't even have the capability of storing more data even if its clients are dumb enough to send it.
I hope Epsilon doesn't even have the capability of storing more data even if its clients are dumb enough to send it.
The concept of Epsilon not storing any additional data other than e-mail and first name for HHonors members is not at all based in reality, nor do clients like Hilton need to "send it" to them.
#35
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,843
I assume they need more information in order to be able to target individuals based on some criteria with HHonors marketing messages.
#36
Join Date: Aug 2007
Location: London
Posts: 32
I have notified Hilton about the problem repeatedly. The 1st time on the 27th of September 2010. Emails, faxes, phonecalls. ZERO RESPONSE.
I KNOW it was Hilton because the barrage of filth and malicious emails (typically trying to get me to update Skype & Acrobat) started just before then.
How do I know it was Hilton? Because the unique email address I registered with them was
[email protected]
I am today contacting them, since the warning they have issued fails to address the scope of the malice. They have an obligation to fully warn recipients.
I KNOW it was Hilton because the barrage of filth and malicious emails (typically trying to get me to update Skype & Acrobat) started just before then.
How do I know it was Hilton? Because the unique email address I registered with them was
[email protected]
I am today contacting them, since the warning they have issued fails to address the scope of the malice. They have an obligation to fully warn recipients.
#38
Join Date: Jul 2003
Location: Salish Sea
Programs: DL,AC,HH,PC
Posts: 8,974
I was not and will not comment on where the breach occured.
I simply said that Epsilon has considerably more information from HHonors members than just first name and e-mail address as was said in the post.
The concept of Epsilon not storing any additional data other than e-mail and first name for HHonors members is not at all based in reality, nor do clients like Hilton need to "send it" to them.
I simply said that Epsilon has considerably more information from HHonors members than just first name and e-mail address as was said in the post.
The concept of Epsilon not storing any additional data other than e-mail and first name for HHonors members is not at all based in reality, nor do clients like Hilton need to "send it" to them.
It's possible they are lying and that personal data is compromised, but I can see no upside in trying to hide something that would inevitably become public. For now I'll accept the claim that simply names and email addresses are in the wild. That would be consistent with best practices in keeping the mailer function and server totally separate from other databases, and I would also not expect to find any cross-population of irrelevant data.
I could well be wrong.
ETA from infosecurity-magazine.com
As reported previously, marketing company Epsilon revealed late on Friday that its opt-in marketing email database - which it operates for a number of mainly US firms - had been breached.
Last edited by Wally Bird; Apr 5, 2011 at 9:12 am
#39
Join Date: Jul 2003
Location: Salish Sea
Programs: DL,AC,HH,PC
Posts: 8,974
Interesting, in agreement with Wally Bird, I've noticed for sometime that logging in to Hilton is with an unsecured URL. I've had bookmarked HH's homepage and that's where I've always logged in:
http://hhonors1.hilton.com/en_US/hh/home_index.do
The page that notquiteaff linked I'd only see when I enter my account number incorrectly, and I would always just close out of that page. But I've now bookmarked notquiteaff's link and I'll be using that from now on.
http://hhonors1.hilton.com/en_US/hh/home_index.do
The page that notquiteaff linked I'd only see when I enter my account number incorrectly, and I would always just close out of that page. But I've now bookmarked notquiteaff's link and I'll be using that from now on.
I mean it's not like you don't have to enter the data again (and again) to get anywhere when you drill down .
#40
In Memoriam
Join Date: Feb 2000
Location: Easton, CT, USA
Programs: ua prem exec, Former hilton diamond
Posts: 31,801
While any further discussion is pointless, I do need to clear up that I never said or implied, nor do I believe, that Epsilon was lying, or that any other system than what they have publicly stated was compromised. I'm not even sure why that's part of the discussion, but it was never anything I said.
#41
Join Date: Jul 2003
Location: Salish Sea
Programs: DL,AC,HH,PC
Posts: 8,974
While any further discussion is pointless, I do need to clear up that I never said or implied, nor do I believe, that Epsilon was lying, or that any other system than what they have publicly stated was compromised. I'm not even sure why that's part of the discussion, but it was never anything I said.
I maintained, based on the limited information available to the public, that it was a mailing list which was compromised and that such a database did not need to contain any personal data and such data (if supplied) should be discarded when entries are made.
I agree, further discussion does seem pointless unless anyone is keeping score of the 'points'.
#44
Moderator: Smoking Lounge; FlyerTalk Evangelist
Join Date: Feb 2004
Location: SFO
Programs: Lifetime (for now) Gold MM, HH Gold, Giving Tootsie Pops to UA employees, & a retired hockey goalie
Posts: 28,878
Here's a listing of the affected companies (which may grow)
http://www.securityweek.com/massive-...s-major-brands
http://www.securityweek.com/massive-...s-major-brands