Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Dec 11, 18, 5:29 am   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Dec 1, 18, 5:36 am
  #226  
 
Join Date: Jun 2011
Location: DCA
Programs: AA EXP; SPG/MAR PPE
Posts: 1,557
Originally Posted by EuropeanPete View Post


Of course they could - but no reason why they wouldn’t do that anyways. Business decisions are not always rational, so it could well happen, but that’s still very far from claiming that corporate fines = consumers pay.
Much more likely that shareholders pay; Marriott earns revenue from hotels that rent rooms to customers. Room rates are set in a (moderately) competitive environment. Raising room rates (or otherwise making terms worse for customers) will likely lead to customers going elsewhere and hence reducing future revenue. The stock price is already down by some estimate of the future costs of the breach.
GUWonder and EuropeanPete like this.
ckendall is offline  
Reply With Quote
Old Dec 1, 18, 6:21 am
  #227  
FlyerTalk Evangelist
 
Join Date: Dec 2003
Location: MAN and LON
Programs: Mucci, BAEC LT Gold, HH Dia, MR LT Plat, IC RA, Kimpton Inner Circle, Amex Plat
Posts: 13,395
Originally Posted by ckendall View Post
Much more likely that shareholders pay; Marriott earns revenue from hotels that rent rooms to customers. Room rates are set in a (moderately) competitive environment. Raising room rates (or otherwise making terms worse for customers) will likely lead to customers going elsewhere and hence reducing future revenue. The stock price is already down by some estimate of the future costs of the breach.
If shareholders pay Exec compensation is hit so it's the last thing that tends to happen. You can progressively make your product worse and boost short term returns for a long time before customers really catch on to this. Look at Hilton and BA as great examples of this.

Bottom line is that Senior Management remuneration will be linked to shareholder returns and who votes for a pay cut?
MSPeconomist likes this.
Land-of-Miles is offline  
Reply With Quote
Old Dec 1, 18, 6:25 am
  #228  
 
Join Date: Aug 2001
Location: Toronto, Canada
Programs: Liftime SPG Platinum
Posts: 1,721
tfong007 is offline  
Reply With Quote
Old Dec 1, 18, 10:11 am
  #229  
FlyerTalk Evangelist
 
Join Date: Dec 2003
Location: MAN and LON
Programs: Mucci, BAEC LT Gold, HH Dia, MR LT Plat, IC RA, Kimpton Inner Circle, Amex Plat
Posts: 13,395
Feel a little sorry for Marriott as this clearly seems to be a Starwood problem they inherited, going to look pretty bad for the former Starwood management if they also covered this up during the sale.
Land-of-Miles is offline  
Reply With Quote
Old Dec 1, 18, 11:24 am
  #230  
 
Join Date: Oct 2013
Location: ORD
Programs: UA Gold, Marriott Platinum Premier/LT Gold
Posts: 4,101
Originally Posted by frenchft View Post
Stop the SPG bashing. It's a Marriott and Accenture issue. Period.
I hope and pray for a MASSIVE class action in the Us and a HUGE fine from EU.
The SPG bashing is going on because the hack happened under SPG's watch, not Marriott's. Marriott was the one who detected the hack. There's a whole lot of "kill the messenger" going on in this thread. But you're right that it's Marriott's issue now since they bought SPG's hacked reservation system.

I wonder if you'd be calling for lawsuits and fines if this had been discovered in 2015. Again, the only purpose this serves is harming the company that discovered and is trying to fix the data breach that occurred in a company that acquired prior to the acquisition. No one likes when this happens, but it's hardly abnormal these days. I'd much rather see Marriott use the money to help the affected customers in some way than to pay a fine to the government...and no, I don't think both have to happen. Should the company be fined for a problem it didn't cause? If I buy a house and then find a dead body in the walls, should I be charged with murder?
H3A3H3 and kennycrudup like this.
JBord is offline  
Reply With Quote
Old Dec 1, 18, 11:44 am
  #231  
 
Join Date: Jan 2016
Programs: Marriott PPE + AmB; AA Platinum; Amtrak Select Executive; Hertz President's Circle
Posts: 53
unfortunately nothing is 100% safely secured on the web. These software applications are evolving every day and bugs/defects pop up every single day. That's no excuse though. It is the state of the internet that we currently live in. If top tier tech companies hiring the best and brightest to write their software are still getting hacked, then non tech companies who have problems hiring top tech talent are even more vulnerable to these attacks. Also, from my experience the business people in non tech companies do not place a high importance e.g. resources and budget on technology even though they generate a huge amount of profit for them. Trust me, as engineers we've fought those battles on many projects and have lost. Most of them simply do not understand IT. They do the same thing that most of the commenters here do. They overly simplify complex computer systems and think there are band aid solutions to these problems instead of spending money on updating or rewriting old insecure platforms.

Last edited by dunno282; Dec 1, 18 at 11:50 am
dunno282 is offline  
Reply With Quote
Old Dec 1, 18, 12:30 pm
  #232  
FlyerTalk Evangelist
 
Join Date: Jun 2006
Location: IAD/DCA
Posts: 31,370
amusing marriott spokesperson above >

"Marriott International, Inc. does not own, operate or manage"
that describes franchises, which are 67% of marriott hotels

"Starwood SPG program through its relationship with Design Hotels"
marriott / starwood controls design hotels (domination agreement)

also agree with dunno282
Kagehitokiri is offline  
Reply With Quote
Old Dec 1, 18, 3:27 pm
  #233  
 
Join Date: Apr 2003
Location: DEN/BDL/LGA/HPN
Programs: Marriott Plat Premier; AA EXP 2MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 4,363
Would be interesting if this is a topic of discussion between Trump and Xi today at the G20 since the circumstances suggest this is a state actor ....
C17PSGR is offline  
Reply With Quote
Old Dec 1, 18, 3:51 pm
  #234  
 
Join Date: Apr 2001
Posts: 332
Originally Posted by UA-NYC View Post


I find sharing to be up since 8/18 as we all navigate this black hole of Marriott customer service, or lack thereof. The company has abrogated any leadership or communication whatsoever. The Lurkers can only do so much as the transparency they brought over from Starwood has disappeared into Marriott opaqueness.

You and a few few others talking about “trolling” in this thread is the opposite of helpful. “We” didn’t create this mess.
So insightful, and so eloquently stated.

In my experience, some of Marriott's most skilled leaders are drowning, and find themselves deeper and deeper in dysfunction, on a weekly basis. I'm saddened to think/say that I barely recognize the company (Marriott), that has been an integral part of our family for 50 years.
H3A3H3 is offline  
Reply With Quote
Old Dec 1, 18, 4:00 pm
  #235  
 
Join Date: Aug 2001
Location: Toronto, Canada
Programs: Liftime SPG Platinum
Posts: 1,721
You would think of a deal of this size that some sort of due dillegence with respect to the security and data was performed? How does the CEO still have a job ?
tfong007 is offline  
Reply With Quote
Old Dec 1, 18, 4:08 pm
  #236  
 
Join Date: Apr 2003
Location: DEN/BDL/LGA/HPN
Programs: Marriott Plat Premier; AA EXP 2MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 4,363
Originally Posted by tfong007 View Post
You would think of a deal of this size that some sort of due dillegence with respect to the security and data was performed? How does the CEO still have a job ?
Presumably, they conducted due diligence.

The issue is that this is almost certainly actions by a highly sophisticated state actor.
C17PSGR is offline  
Reply With Quote
Old Dec 1, 18, 4:12 pm
  #237  
 
Join Date: Aug 2012
Location: KHOU + KSFO
Programs: AA EXP | Marriott Bonvoy Ambassador
Posts: 3,950
Originally Posted by C17PSGR View Post
Presumably, they conducted due diligence.

The issue is that this is almost certainly actions by a highly sophisticated state actor.
RDP on servers running EOL Operating Systems open to the public internet is not indicative of state actor sophistication.

it reeks of weapons grade incompetence.
Antarius is offline  
Reply With Quote
Old Dec 1, 18, 4:22 pm
  #238  
 
Join Date: Jul 2005
Posts: 1,043
https://www.apnews.com/586e0183ca0142d68a01ca6b5898a8a0

NEW YORK (AP) — The data stolen from the Marriott hotel empire in a massive breach is so rich and specific it could be used for espionage, identity theft, reputational attacks and even home burglaries, security experts say.

Hackers stole data on as many as 500 million guests of former Starwood chain properties over four years including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.

It is one of the biggest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.

But the target here — hotels where high-stakes business deals, romantic trysts and espionage are daily currency — makes the data gathered especially sensitive.

The affected reservation system could be extremely enticing to nation-state spies interested in the travels of military and senior government officials, said Jesse Varsalone, a University of Maryland cybersecurity expert.

“There are just so many things you can extrapolate from people staying at hotels,” he said.

And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn’t be home, said Scott Grissom of LegalShield, a provider of legal services.

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.

Email notifications for those who may have been affected begin rolling out Friday and the full scope of the breach was not immediately clear.

Marriott was trying to determine if the purloined records included duplicates, such as a single person staying multiple times.

Security analysts were especially alarmed to learn of the breach’s undetected longevity. Marriott said it first detected until Sept. 8 but was unable to determine until last week what data had possibly been exposed — because the thieves used encryption to remove it in order to avoid detection.

Marriott said it did not yet know how many credit card numbers might have been stolen. A spokeswoman said Saturday that it was not yet able to respond to questions such as whether the intrusion and data theft was committed by a single or multiple groups.

Cybersecurity expert Andrei Barysevich of Recorded Future said Saturday he believed the breach was financially motivated.

A cybercrime gang expert in credit card theft such as the eastern European group known as Fin7 could be a suspect, he said, noting that a dark web credit card vendor recently announced that 2.6 million cards stolen from an unnamed hotel chain would soon be available to the online criminal underworld.

“We will have to wait until an official forensic report, although, Marriott may never share their findings openly,” he said.

Marriott said the stolen credit card information was encrypted but the hackers may have obtained the “two components needed to decrypt the payment card numbers.” It said it cannot “rule out the possibility that both were taken.”

For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.

The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.

Marriott set up a website and call center for customers who believe they are at risk.

The FBI would not say whether it is investigating, but said in a statement that anyone contacted by Marriott should “take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.”

Passport numbers have previously been part of a hack, though it’s not common. They were among records on 9.4 million passengers of Hong Kong-based airline Cathay Pacific obtained in a breach announced in October.

Combined with names, addresses and other personal information, passport numbers are a greater concern than stolen credit card numbers because thieves could use them to open fraudulent accounts, said analyst Ted Rossman of CreditCards.com.

The data purloining highlights just how dangerous hotels can be for people worried about their privacy.

“Hotels have long been important government sources of local information for tracking foreigners: reservation systems and loyalty programs took the surveillance global and made it easier for us to give up our privacy,” said Colin Bastable, CEO of Lucy Security.

Intelligence agencies including the U.S. National Security are well plugged into the global travel industry “by fair means or foul,” he said, non-government cybercriminals now have the same hacking tools.

“Consumers have become collateral damage,” he said. “And we are all consumers.” He advises providing hotels with as little information as possible when making reservations and checking in.

Last year, the cybersecurity firm FireEye highlighted an effort in which Russian state agents allegedly tried to infiltrate the reservation systems of hotels in Europe and the Middle East.

When its acquisition by Marriot was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it was too early to say what financial impact the breach might have on the company. It said it has cyber insurance and is working with its carriers to assess coverage.

Elected officials were quick to call for action.

The New York attorney general opened an investigation.

Virginia Sen. Mark Warner said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers “shoulder the burden and harms resulting from these lapses.”
jr1202sr is offline  
Reply With Quote
Old Dec 1, 18, 4:24 pm
  #239  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 86,579
Originally Posted by C17PSGR

The issue is that this is almost certainly actions by a highly sophisticated state actor.
That is anything but certain unless and until we know more about what happened than what Marriott has publicly disclosed in the open.
GUWonder is offline  
Reply With Quote
Old Dec 1, 18, 4:28 pm
  #240  
 
Join Date: Jan 2016
Programs: Marriott PPE + AmB; AA Platinum; Amtrak Select Executive; Hertz President's Circle
Posts: 53
Originally Posted by tfong007 View Post
You would think of a deal of this size that some sort of due dillegence with respect to the security and data was performed? How does the CEO still have a job ?

as I mentioned above. Because you are overly simplifying a complex computer system. You are assuming that there is some way of finding this security breach without knowing there was one within a reasonable amount of time and money. It's like trying to find a needle in the haystack without knowing there is a needle in there. Also, I think it would be the CTO/CIO that would get fired first.
kennycrudup likes this.
dunno282 is offline  
Reply With Quote

Thread Tools
Search this Thread
 
  • Ask a Question
    Get answers from community experts
Question Title:
Description:
Your question will be posted in: