Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Apr 4, 19, 10:42 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Nov 30, 18, 2:48 pm
  #166  
 
Join Date: Feb 2017
Programs: DL DM, UA Gold, Alaska MVP, Bonvoy (lol) Ambassador
Posts: 2,138
Originally Posted by HNLbasedFlyer View Post
Lot's of paranoia in this thread.

Data Breaches aren't exactly uncommon. And just because you can see the read the data, doesn't mean you can actually do anything with it if it is encrypted or incomplete.

If the door has been open at least 4 years - I'd certainly think someone by now would have been impacted - and I haven't read anything that any particular person has had an issue.
Well, with how everyone's data is already out there it's hard to nail exact causes for ID theft. It's no data that hasn't already been leaked before.

While unlikely, it could also be a state actor or industrial espionage. Knowing where people are planning to go is useful information for both states or for unscrupulous enterprises. Think M&A, unusual financial auditing activity, where certain government officials plan to go before announcements, and so on.
C17PSGR likes this.
ethernal is online now  
Reply With Quote
Old Nov 30, 18, 3:02 pm
  #167  
 
Join Date: Aug 2014
Location: 50.1% in PDX and 49.9% in PVG ( 182 days in Shanghai in 2017 )
Programs: Marriott Ambassador Elite, UA 1K, AS MVP GLD 75K
Posts: 600
Marriott is really hitting on all cylinders right now, good job!
chipmaster is offline  
Reply With Quote
Old Nov 30, 18, 3:07 pm
  #168  
A FlyerTalk Posting Legend
 
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 79,791
I find it amusing that on both CNN and NBC, when the media talk about this, they show pictures of legacy Marriott hotels, starting with a big Courtyard sign.

BTW, are they answering the hacked line any faster than they've been answering Plat, PP, etc. over the last months?
MSPeconomist is offline  
Reply With Quote
Old Nov 30, 18, 3:17 pm
  #169  
 
Join Date: Aug 2014
Location: YYZ
Programs: Marriott/SPG, BR, CX, Aeroplan
Posts: 406
Congratulations to Marriott for leaking the personal information of more than 5% of the world's population.
MSPeconomist likes this.
Dave510 is online now  
Reply With Quote
Old Nov 30, 18, 3:19 pm
  #170  
 
Join Date: Dec 2006
Location: SJC
Programs: Bonvoy Tit Forever, AmEx Plat, National EE, WN CP, CLEAR
Posts: 3,553
Originally Posted by Dave510 View Post
Congratulations to Marriott for leaking the personal information of more than 5% of the world's population.
OK, it's obvious people are just trolling now.
kennycrudup is offline  
Reply With Quote
Old Nov 30, 18, 3:23 pm
  #171  
 
Join Date: Apr 2009
Location: 787
Programs: Too many to list
Posts: 1,268
so now it
BA, Radisson, IHG (twice) and Marriott.

Nice.
ThePointsCollector is offline  
Reply With Quote
Old Nov 30, 18, 3:28 pm
  #172  
 
Join Date: May 2014
Location: Great Britain
Programs: Air: QR Platinum. BA, Emirates, AB. Hotels: CC Gold, IHG Plat, Hilton Diamond, Accor Platinum.
Posts: 1,277
Great so crooks now have my home address along with a list of dates they know I won't be home.

If I am burgled can I take some sort of related legal action against Marriott ?



It seems like the only way to keep our data safe is for companies to not store any of it on servers which have access to the internet !
Sisyphus1carus is offline  
Reply With Quote
Old Nov 30, 18, 3:32 pm
  #173  
 
Join Date: May 2014
Location: Great Britain
Programs: Air: QR Platinum. BA, Emirates, AB. Hotels: CC Gold, IHG Plat, Hilton Diamond, Accor Platinum.
Posts: 1,277
How many shares in the company do I need to own in order to have a vote at the AGM to vote against any rise in the salaries / bonuses of the board of directors ??

I wonder if it'd be possible to get all / most of the members together, buy one share each and enter a vote of no confidence or the like in the entire board ???????? Just really to p*ss them off and deny them their cushy gravy train salaries & bonuses !!

Not sure there are 500 million shares are there ? It'd certainly cause a rather significant spike to the share price - at which point the directors would probably sell off their holdings making a killing so basically even if it was even remotely possible it would make them all rich and defeat the object anyway.

Hey ho. Random drunken ramblings ! Polishing off all my fancy wines & spirits this evening given I'm bound to be burgled soon now that crooks have my address AND a nice little list of all the dates they know I'll be away from my home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!

Last edited by Sisyphus1carus; Nov 30, 18 at 3:39 pm
Sisyphus1carus is offline  
Reply With Quote
Old Nov 30, 18, 3:33 pm
  #174  
 
Join Date: Aug 2014
Location: YYZ
Programs: Marriott/SPG, BR, CX, Aeroplan
Posts: 406
Originally Posted by kennycrudup View Post
OK, it's obvious people are just trolling now.
Trolling? How so?

I'm rather impressed Marriott could leak so much personal information. I don't think anyone will be topping their record any time soon.
Sisyphus1carus likes this.
Dave510 is online now  
Reply With Quote
Old Nov 30, 18, 3:40 pm
  #175  
SPG Contributor Badge
 
Join Date: Apr 2005
Programs: Starwood:Lifetime Platinum, Air Canada:Basic, Asiana:Lifetime Diamond Plus, ANA: Basic
Posts: 955
Hopefully with the help of the FBI, they can find out if it was foreign governments or sophisticated crooks did it.

Both SPG and Marriott had at least average level of IT staff and commercially available enterprise level security software . So the hack was able to be undetected since 2014 means it's should be a sophisticated hack that went around all the security.

I am prepared to show of understanding if Marriott/SPG was hacked by foreign governments. There is little defense on this type of hacking. Recall the Bloomberg news a month ago of Chinese government putting a small chip on server motherboards to hack Apple and other Silicon Valley giants to steal technology secrets. All elite government hacking teams have access to Operating System holes that maybe the original manufacturer (be it Microsoft or Google or Apple) don't know yet. National law enforcement agencies (including the FBI) also buys services from data security companies that sole purpose is to find vulnerability on devices/computers to help law enforcement "get in" when the accused is uncooperative with a court order. The point is... Every system has holes and those with deep pockets and deep talent (normally governments) can get through like a cyber version of Mission Impossible. It would be unrealistic for commercial entities to guard their system to the near impenetrable level like Pentagon/CIA guard their systems.
yeunganson is offline  
Reply With Quote
Old Nov 30, 18, 3:43 pm
  #176  
 
Join Date: May 2014
Location: Great Britain
Programs: Air: QR Platinum. BA, Emirates, AB. Hotels: CC Gold, IHG Plat, Hilton Diamond, Accor Platinum.
Posts: 1,277
Originally Posted by markle View Post
Whether it's 2% or 4% depends on whether or not it's considered either:

2%: Breach of controller or processor obligations
4%: Breach of data subjects’ rights and freedoms

In any case, "behind the scenes negotiations" is irrelevant - they have an obligation to notify. I'm not entirely clear what negotiation you'd even negotiate over... "We have a data breach, but we'll only follow our legal obligation to notify if you agree to give us a lower fine?"

This does not seem nearly enough of a penalty for allowing crooks access to my address along with a neat little list of dates I won't be home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!
Sisyphus1carus is offline  
Reply With Quote
Old Nov 30, 18, 3:50 pm
  #177  
FlyerTalk Evangelist
 
Join Date: Sep 2014
Programs: AC SE100K, 1MM, NH, DL, AA, GE/Nexus, APEC..
Posts: 15,281
Originally Posted by Sisyphus1carus View Post
......Hey ho. Random drunken ramblings ! Polishing off all my fancy wines & spirits this evening given I'm bound to be burgled soon now that crooks have my address AND a nice little list of all the dates they know I'll be away from my home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!
Originally Posted by Sisyphus1carus View Post
This does not seem nearly enough of a penalty for allowing crooks access to my address along with a neat little list of dates I won't be home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!
@Sisyphus1carus
Looks like you're going to be needing an extra batch of exclamation marks.
I'll give you some of mine if you pour me a glass of one of your fancy wines.
Sisyphus1carus likes this.
24left is offline  
Reply With Quote
Old Nov 30, 18, 3:53 pm
  #178  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,399
Originally Posted by naumank View Post


I haven’t seen any credit applications asking for someone’a passport number. If it’s the cover page of a passport, I can see that the DOB and DOP could potentially be useful. But the number?

A guest on Neil Cavudo’s morning show said criminals could duplicate passports by using someone’s passport number. I am not so sure. I have heard that a physical passport can be used to make a fake- but with just a number?

So I am really not so sure about the usefulness of one’s passport number to a criminal. Perhaps we shouldn’t worry about it? Anyone else care to enlighten us?
For a run of the mill street criminal or ordinary civilian criminal gang there is not a whole lot of utility in just having a passport number and that passport's details when there is no photo/photocopy of the passport biodata page itself. But there is a whole lot of utility for such information in the hands of a state actor with robust document fraud capabilities or when dealing with less secure passport types where a bunch of stolen or fraudulently-acquired passport blanks have been collected by someone in the identity theft arena, whether for financial fraud, deep cover or whatever else.
GUWonder is offline  
Reply With Quote
Old Nov 30, 18, 3:55 pm
  #179  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,399
Originally Posted by yeunganson View Post
Hopefully with the help of the FBI, they can find out if it was foreign governments or sophisticated crooks did it.

Both SPG and Marriott had at least average level of IT staff and commercially available enterprise level security software . So the hack was able to be undetected since 2014 means it's should be a sophisticated hack that went around all the security.

I am prepared to show of understanding if Marriott/SPG was hacked by foreign governments. There is little defense on this type of hacking. Recall the Bloomberg news a month ago of Chinese government putting a small chip on server motherboards to hack Apple and other Silicon Valley giants to steal technology secrets. All elite government hacking teams have access to Operating System holes that maybe the original manufacturer (be it Microsoft or Google or Apple) don't know yet. National law enforcement agencies (including the FBI) also buys services from data security companies that sole purpose is to find vulnerability on devices/computers to help law enforcement "get in" when the accused is uncooperative with a court order. The point is... Every system has holes and those with deep pockets and deep talent (normally governments) can get through like a cyber version of Mission Impossible. It would be unrealistic for commercial entities to guard their system to the near impenetrable level like Pentagon/CIA guard their systems.
Targeting hotel systems to get customer data has been part of the state-sponsored hacking activities engaged in by countries such as the US, Russia, China, Israel, UK, North Korea and so on.

Governments get hacked. Even tools used by the NSA and other such organizations around the world known to hack into various systems have seen their system penetration tools swiped and used by others despite the measures taken to guard their systems. Technology is not perfect, processes aren't perfect and the people involved in both are certainly not perfect. Not when it comes to government, not when it comes to the corporate sector. But that doesn't excuse Marriott for what has happened and may happen with this data in the time ahead.

Originally Posted by HNLbasedFlyer View Post
Lot's of paranoia in this thread.

Data Breaches aren't exactly uncommon. And just because you can see the read the data, doesn't mean you can actually do anything with it if it is encrypted or incomplete.

If the door has been open at least 4 years - I'd certainly think someone by now would have been impacted - and I haven't read anything that any particular person has had an issue.
Was the door really open and used repeatedly and continuously during the entire 4 year period, or was it just that 4 years of data has been verified as having been swiped at one or possibly more points in time? There is a big difference between those two.

Unfortunately, Marriott isn't giving its customers enough details for the customers to make out all that Marriott knows about the breaches. Not that it will make all that much difference unless and until Marriott tells each and every customer all the info it had on that particular customer which was confirmed as being accessible to the hacker(s).

Last edited by GUWonder; Nov 30, 18 at 4:06 pm
GUWonder is offline  
Reply With Quote
Old Nov 30, 18, 4:00 pm
  #180  
 
Join Date: Dec 2007
Location: Body in Downtown YYZ, heart and mind elsewhere
Programs: UA 50K, refugee from AC E50K.
Posts: 4,938
Originally Posted by Sisyphus1carus View Post
This does not seem nearly enough of a penalty for allowing crooks access to my address along with a neat little list of dates I won't be home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!
Per Marriott's latest annual report, revenue in 2017 was $22.894 billion. I believe this includes SPG. In 2016 for example (pre-SPG) revenue was "only" $17.072 billion.

2% of $22 billion = $457.88 million.

Let's round that off and say the GDPR fine alone could be in the $500 million+ range. Other countries may press for fines as well. And undoubtedly in the US at least there will be some class-action lawsuit.

Not to mention that Marriott will claim (possibly with justification) that the issue is primarily and SPG one and therefore the fines should be calculated only on the SPG unit of roughly $5 billion revenue. I suspect Marriott will devote substantial time / money to not only investigating and fixing the data leak, but also on various legal-related matters particularly if the EU tries to enforce GDPR to the fullest.
RCyyz is offline  
Reply With Quote

Thread Tools
Search this Thread