Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Apr 4, 19, 10:42 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Nov 30, 18, 12:42 pm
  #151  
Suspended
 
Join Date: Nov 2017
Programs: United Gold, BA Exec Club, Via Rail
Posts: 2,798
Another point of confusion, the Marriott website says Starwood Guest database security incident. Last I checked Starwood (at least from an IT and branding perspective) ceased to exist in August. It's now just one Marriott (or as I like to call it SPMarriott). I also highly doubt that only Starwood reservations are impacted by this, it's likely the whole shebang given the sheer number of records involved and it was discovered after the integration of the two IT systems (September 2018). If we didn't have Equifax, Yahoo and the dozens of other security breaches I would be surprised.

Let's hope that SPMarriott offers a better goodwill gesture to their elites then free credit monitoring, a benefit found on even the most rudimentary of credit cards.

Safe Travels,

James
j2simpso is offline  
Reply With Quote
Old Nov 30, 18, 12:44 pm
  #152  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,265
Originally Posted by oxfordjames View Post
Have you even read the cause of this breach? This was an SPG issue!!
The Marriott cheerleading and SPG bashing won't change the fact that this remains a Marriott issue and was an SPG issue.
24left likes this.
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 12:51 pm
  #153  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,265
Originally Posted by 24left View Post
Agree with punishment but I don't see any "punishment" really done to Target, TJMaxx, Yahoo, the IRS, previous hotel-related breaches and all those others. Equifax is still in business and still selling all of your information to third parties, some of whom may even be hacker orgs. Who knows.

Toothless fines have not made a dent because as the Target hack from Dec 2013 showed, companies - and banks - look at the odds and choose the path of least resistance: oh well, if it happens we'll spend some pennies and toss a few bones of refunds, new credit cards, credit monitoring etc, here and there.

Look at the recent hacks at BA and worse, CX. Responses from those questionably capable in-charges, Alex at BA/IAG and Rupert at CX: giant shrugs.

Did Arne at least offer a shrug?
.
The GDPR fines from the European side can be very substantial if fully applied, but so far the EU seems to be more a corporate kiss-up than anything so I'm not holding my breath waiting for a large enough fine to hit Marriott over this matter even if it is demonstrable that Marriott should be liable with a fine of say 2-4% of its revenue. Perhaps Marriott will come back and try to his us with 2-4% GDPR surcharge while hoping its "competitors" do the same.
24left likes this.
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 12:59 pm
  #154  
 
Join Date: May 2003
Location: Cleveland, OH
Programs: UA-GS 1MM), Hertz Pres Circle, Starriott Titanium)
Posts: 1,619
Well at least now if I need to look up my missing spg stays, I can just download them from the dark web.
LordHamster is offline  
Reply With Quote
Old Nov 30, 18, 1:03 pm
  #155  
FlyerTalk Evangelist
 
Join Date: Apr 2008
Location: LGA/JFK/EWR
Programs: UA 1KMM, Hyatt Explorist, abandoned Marriott LTT (RIP SPG), Hertz PC
Posts: 19,271
Originally Posted by CJKatl View Post
Can we please allow this thread to help people learn about the breach and what needs to be done without cluttering it and making unusable because people want to use the breach as another point in their pre-existing need to brag about a program that no longer exists?
Same goes for discussions about lifetime status without cluttering it up and accusing people of being conspiracy theorists - it's a two way street
UA-NYC is offline  
Reply With Quote
Old Nov 30, 18, 1:05 pm
  #156  
 
Join Date: May 2013
Location: New York
Programs: UA Silver, Marriott LTP, Hertz President's Club
Posts: 916
Originally Posted by j2simpso View Post
Another point of confusion, the Marriott website says Starwood Guest database security incident. Last I checked Starwood (at least from an IT and branding perspective) ceased to exist in August. It's now just one Marriott (or as I like to call it SPMarriott). I also highly doubt that only Starwood reservations are impacted by this, it's likely the whole shebang given the sheer number of records involved and it was discovered after the integration of the two IT systems (September 2018). If we didn't have Equifax, Yahoo and the dozens of other security breaches I would be surprised.
The whole of Starwood and Marriott IT was never really integrated on 08/18.

What was integrated:
  1. The rewards program was integrated under a single system, with the possibility to merge accounts from the prior legacy programs together.
  2. Booking via Marriott.com was now possible for both legacy Marriott and legacy Starwood properties as a booking engine.
What was not integrated:
  1. The existing Marriott hotels continued to use their PMS systems to connect to MARSHA (Marriott's reservation system).
  2. The existing Starwood hotels continued to use their PMS systems to connect to Starwood's Reservation system.

On the not integrated front, #2 is still very apparent for some Starwood brands on Marriott.com. Some Starwood brands have switched to Marriott Opera PMS and MARSHA as a reservation system in the past couple months (see here), but no brands were switched before September 8th, 2018 (when Marriott claims they discovered the unauthorized access to the Starwood reservation computers. In fact, some brands are still using the Starwood reservation computers.

Try this:

Search for Times Square, Manhattan, USA on Marriott.com.
Pick View Rates for the Sheraton. You remain on Marriott.com. This is because Sheratons were switched to Marriott Opera PMS/MARSHA reservations system at the end of October.
Now instead, pick View Rates for The Chatwal, a Luxury Collection Hotel, New York City. You get redirected to starwoodhotels.com, which is the old Starwood reservations system. This is because St. Regis, Luxury Collection, Aloft , and Element are still on the legacy Starwood reservations system.

In short, since the claim is that any stay from 2014 to September 10th 2018 at any Starwood property are compromised, that's totally credible given that all legacy Starwood brands were still using the legacy Starwoodhotels.com site/legacy Starwood reservation system on that date (the first batch, some Four points hotels, were switched to MARSHA on September 18th.)
phltraveler is offline  
Reply With Quote
Old Nov 30, 18, 1:29 pm
  #157  
 
Join Date: Aug 2018
Posts: 382
Originally Posted by GUWonder View Post
The Marriott cheerleading and SPG bashing won't change the fact that this remains a Marriott issue and was an SPG issue.
This is a Marriott issue inasmuch as Starwood LLC is now a wholly owned division of Marriott International, and Marriot will be footing the entire bill for any of Starwood’s prior wrongdoings.

To the extent people here on FT still distinguish between legacy MR and legacy SPG programs, this is solely a SPG issue.
Twickenham likes this.
MePlatPremier is offline  
Reply With Quote
Old Nov 30, 18, 1:36 pm
  #158  
FlyerTalk Evangelist
 
Join Date: Sep 2014
Programs: AC SE100K, 1MM, NH, DL, AA, GE/Nexus, APEC..
Posts: 15,281
Originally Posted by phltraveler View Post
The whole of Starwood and Marriott IT was never really integrated on 08/18.

What was integrated:
  1. The rewards program was integrated under a single system, with the possibility to merge accounts from the prior legacy programs together.
  2. Booking via Marriott.com was now possible for both legacy Marriott and legacy Starwood properties as a booking engine.
What was not integrated:
  1. The existing Marriott hotels continued to use their PMS systems to connect to MARSHA (Marriott's reservation system).
  2. The existing Starwood hotels continued to use their PMS systems to connect to Starwood's Reservation system.
On the not integrated front, #2 is still very apparent for some Starwood brands on Marriott.com. Some Starwood brands have switched to Marriott Opera PMS and MARSHA as a reservation system in the past couple months (see here), but no brands were switched before September 8th, 2018 (when Marriott claims they discovered the unauthorized access to the Starwood reservation computers. In fact, some brands are still using the Starwood reservation computers.

Try this:

Search for Times Square, Manhattan, USA on Marriott.com.
Pick View Rates for the Sheraton. You remain on Marriott.com. This is because Sheratons were switched to Marriott Opera PMS/MARSHA reservations system at the end of October.
Now instead, pick View Rates for The Chatwal, a Luxury Collection Hotel, New York City. You get redirected to starwoodhotels.com, which is the old Starwood reservations system. This is because St. Regis, Luxury Collection, Aloft , and Element are still on the legacy Starwood reservations system.

In short, since the claim is that any stay from 2014 to September 10th 2018 at any Starwood property are compromised, that's totally credible given that all legacy Starwood brands were still using the legacy Starwoodhotels.com site/legacy Starwood reservation system on that date (the first batch, some Four points hotels, were switched to MARSHA on September 18th.)

Exactly the issue I hinted at upthread. When I go to book the W TPE or Westin LAX, the Marriott site sends me to the SPG site.

The fact that the Marriott "IT" people think this is my problem is a testament to their complete incompetence.

And the clowns at Marriott keep telling me that "the SPG properties will migrate over in December".

So, when will my missing nights, stays and points "migrate" back to me?

This is absolutely Marriott's responsibility. They bought SPG and with it the legacy and liabilities.

The fact that all of us are caught in the crosshairs of poor management, well. I wonder if Arne et al will ever be held accountable.
24left is offline  
Reply With Quote
Old Nov 30, 18, 2:06 pm
  #159  
A FlyerTalk Posting Legend
 
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 79,357
Originally Posted by MePlatPremier View Post


This is a Marriott issue inasmuch as Starwood LLC is now a wholly owned division of Marriott International, and Marriot will be footing the entire bill for any of Starwood’s prior wrongdoings.

To the extent people here on FT still distinguish between legacy MR and legacy SPG programs, this is solely a SPG issue.
Yesterday I was logged into my SPG account and looking at rates for a Sheraton. It directed me to the Starwood website (purple page with the spinning circle) and then the room rates pages I saw looked exactly as they did before the merger. Doesn't this mean that not all Sheratons have migrated to Marriott?
MSPeconomist is offline  
Reply With Quote
Old Nov 30, 18, 2:17 pm
  #160  
 
Join Date: May 2013
Location: New York
Programs: UA Silver, Marriott LTP, Hertz President's Club
Posts: 916
Originally Posted by MSPeconomist View Post
Yesterday I was logged into my SPG account and looking at rates for a Sheraton. It directed me to the Starwood website (purple page with the spinning circle) and then the room rates pages I saw looked exactly as they did before the merger. Doesn't this mean that not all Sheratons have migrated to Marriott?
Sheratons were planned to all be migrated at the end of October 2018, I encountered the transition during a stay that checked out November 1st. What specific property are you talking about? It's possible that a few got postponed on the migration for technical reasons.

Some Starwood properties are not migrated yet (Luxury Collection, St. Regis, Aloft, Element) and other brands are switching to Marriott reservations system this week (Westin/Le Meridien/W Hotels/Design Hotels).

Rule of thumb is
  1. If the view rates page keeps you on marriott.com - property was legacy marriott or legacy starwood that has been migrated to MARSHA
  2. If the view rates page takes you to starwoodhotels.com - property is still on the legacy Starwood reservations system.
ryw likes this.
phltraveler is offline  
Reply With Quote
Old Nov 30, 18, 2:23 pm
  #161  
 
Join Date: Dec 2006
Location: SJC
Programs: Bonvoy Tit Forever, AmEx Plat, National EE, WN CP, CLEAR
Posts: 3,518
If there was any (hard) evidence required of the level of irrational hatred of MR by SPG loyalists, this thread is it.

Imagine that after some time and negotiation, I finally buy a classic car I've been interested in for a while. In the process of cleaning it up to get it show-ready, I find hairs in the grill that are then later found to be connected to the victim of a fatal hit-and-run that happened years ago. If some here on FT had their way, I would be on trial for first-degree murder.
DJ_Iceman and Twickenham like this.
kennycrudup is offline  
Reply With Quote
Old Nov 30, 18, 2:24 pm
  #162  
 
Join Date: Oct 2013
Location: ORD
Programs: UA Silver, Marriott Titanium/LT Platinum, Hilton Gold, AA Platinum
Posts: 4,287
Originally Posted by choco View Post
SPG is now and truly dead. Marriott is awful. Just cancelled my SPG AMEX card. Sad ending to a great
Starwood program.
Hmmmm. I can't tell if this is sarcasm, there are so many things wrong in only 4 sentences. So you're stating the following:

1. SPG is dead (true!) -- perhaps you should be thankful because if it still existed, maybe the data breach would still be undetected.
2. Marriott is awful (because they found the problem in the SPG system that's been present since 2014) -- I see no connection to how you feel about Marriott as a corporation. How you should judge them on this issue is how they respond. It seems like there's more to come on that, although I haven't read through all the details yet.
3. The Starwood "program" was great because it allowed easy access for hackers. -- None of this has anything to do with either SPG's or Marriott's loyalty program.

With all due respect, you seem confused. But at least you took the correct action in cancelling your compromised credit card.

Originally Posted by X-ON View Post
Wow what a fiasco of a merger... It is really not that interesting if we attribute this to SPG Mickey Mouse security protocols or a subpar due diligence by Marriott the end result is a fiasco merger at best or catastrophic merger at worst. Mr Sorenson should thank his lucky star if he survives this.
And how would one go about catching this during due diligence, when it hadn't been caught by the IT department operating the system on a daily basis for 2 years? Have you ever been involved in due diligence during a merger?

Originally Posted by maracle View Post
Marriott bought Starwood, and therefore get their liability. They should be held to account. But I boggle at folks who pretty much are saying they liked the good ol' days, when their account was breached and no one knew about it.
Exactly right on all counts. Amazing that some people can't see it so simply.

Originally Posted by GUWonder View Post
The Marriott cheerleading and SPG bashing won't change the fact that this remains a Marriott issue and was an SPG issue.
Again, right on. What defines Marriott and it's leadership in this issue is how they react. You can't blame them for anything that happened until now. If they follow the merger pattern of no helpful communication to those affected by this problem, they fail. So let's give them a chance to respond and grade them after, not now as many seem to be doing. The reality is data breaches are a part of life now. I've had to change one credit card twice in just a few years. I've had my personal email accounts hacked several times over the years. I've had PayPal issues. If this causes anger and panic, I feel for those people who are going to have to live in an increasingly digital world. You have to accept the risk with the reward in any transaction these days.
JBord is offline  
Reply With Quote
Old Nov 30, 18, 2:29 pm
  #163  
 
Join Date: Dec 2007
Location: SFO
Programs: UA Plat and 1MM, Marriott Ti/LTP, Hertz PC
Posts: 802
Originally Posted by TravelinSperry View Post
Exactly. The primary issue of all this is identity theft. If a thief has enough info (SS#, Passport, addresses, etc.) they could attempt to pretend they are you and open credit lines using your info. Then they could run up credit and not pay and the institution may go after you (thinking you're the one who did it). If it happens it's a long drawn out process to prove it wasn't you. With that said, banks (etc.) oftentimes put you through the 5 question security check which the thieves need to get through (and that info is not always avail on the data they stole). In fact, I even sometimes get my 5 questions wrong as they sometimes go back decades. So even with our passport # and ss#, etc. - it's not that easy to imitate someone.

If you're really worried you can join an identity theft service or buy an umbrella policy that covers Identity theft.

I think most people just get upset that their data was stolen and they don't like the feeling of it being out there. But in reality, it's a very small % of people who are ultimately victims of identity theft (but for those who are it's a huge headache). I had a friend who was and it took her over a year of work and some real funds to straighten it out.
I haven’t seen any credit applications asking for someone’a passport number. If it’s the cover page of a passport, I can see that the DOB and DOP could potentially be useful. But the number?

A guest on Neil Cavudo’s morning show said criminals could duplicate passports by using someone’s passport number. I am not so sure. I have heard that a physical passport can be used to make a fake- but with just a number?

So I am really not so sure about the usefulness of one’s passport number to a criminal. Perhaps we shouldn’t worry about it? Anyone else care to enlighten us?
naumank is offline  
Reply With Quote
Old Nov 30, 18, 2:31 pm
  #164  
 
Join Date: Sep 2006
Location: HNL
Programs: UA 1K3MM, MR LT Plat, Hilton Gold
Posts: 1,689
Lot's of paranoia in this thread.

Data Breaches aren't exactly uncommon. And just because you can see the read the data, doesn't mean you can actually do anything with it if it is encrypted or incomplete.

If the door has been open at least 4 years - I'd certainly think someone by now would have been impacted - and I haven't read anything that any particular person has had an issue.
C17PSGR likes this.
HNLbasedFlyer is offline  
Reply With Quote
Old Nov 30, 18, 2:33 pm
  #165  
FlyerTalk Evangelist
 
Join Date: Sep 2014
Programs: AC SE100K, 1MM, NH, DL, AA, GE/Nexus, APEC..
Posts: 15,281
Originally Posted by kennycrudup View Post
If there was any (hard) evidence required of the level of irrational hatred of MR by SPG loyalists, this thread is it.
......
I've been a member of BOTH SPG and Marriott well over a decade. So my anger and frustration is directed at the CUMULATIVE experiences I have had with Marriott, particularly the poor quality of agents and the non-existent customer service and support. In the same period of time, the SPG experience has been significantly better. I've always stayed a hotels in both chains and I had no preference for one company over the other as choice in hotels was based on location and price.

The breach is secondary to the collective punishment many of us feel because of the merger, the IT issues alone prior to this breach and the often "poor" responses for Marriott execs and yes, Arne. Some of the fluff in yesterday's WSJ article as well as other public comments he has made, are perfect examples.

So, you may think some SPG-loyalists have a hate-on for Marriott, especially given how poor the merger and integration was and now with this breach. I think plenty were not thrilled long before and especially those of us who were members of both.
24left is offline  
Reply With Quote

Thread Tools
Search this Thread