Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Apr 4, 19, 10:42 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Dec 1, 18, 3:46 pm
  #241  
 
Join Date: Apr 2003
Location: DEN/BDL/LGA/HPN
Programs: Marriott Plat Premier; AA EXP 2MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 4,824
Originally Posted by GUWonder View Post


That is anything but certain unless and until we know more about what happened than what Marriott has publicly disclosed in the open.

Naah. The source of this is an easy layup.

Lets see ... someone planted a system for mining data in 2014. The data they pulled had the ability to track who and where, but the credit card data was potentially encrypted. Certainly in the past four years, if this was done for economic purposes, Amex would have noticed a pattern of fraud tied to SPG Amex holders since they would have been disproportionately impacted by any fraud aspects of that. Seen any reports on here from SPG Amex holders ... saying they were victims of fraud? Many of us have monitoring services that detect identity information being sold on the dark web. Again ... seen any reports of that from legacy SPG folks? The lack of selling that information again suggests a state actor.

And then, they've been mining the data since 2014. Most of the economic data breaches are usually hit and run, rather than extended mining.

The outrage here at the legacy SPG folks should really be focused on a certain state actor.
C17PSGR is offline  
Reply With Quote
Old Dec 1, 18, 4:33 pm
  #242  
 
Join Date: Jan 2000
Posts: 2,522
I don't see any reason a hotel should keep any passport data on file. Even if they are scanned by international properties they should be deleted upon check out. I get why airlines require it but hotels no. Even homeland claim to destroy some bio/facial data they collect from travellers. (Well citizens, not visitors or residents.)
unclepants likes this.
sdix is offline  
Reply With Quote
Old Dec 1, 18, 5:09 pm
  #243  
 
Join Date: Aug 2011
Location: MIA
Programs: DL Plat, AA EXP, UA Silver, Marriott LTT, HH Diamond (Aspire)
Posts: 362
Originally Posted by Antarius View Post
RDP on servers running EOL Operating Systems open to the public internet is not indicative of state actor sophistication.

it reeks of weapons grade incompetence.
One does not exclude the other. I do agree that AX would have noticed a disproportional increase in fraud on the SPG cards and for an exploit that is 4 years old, there is no point in saving PCI for later use - most early cards would be expired by now. Of course, if it took longer to get the keys - maybe access to PCI is more recent.

Anyhow - how did you come up with RDP on old windows systems? I haven't seen that - did I miss anything?
flying_geek is offline  
Reply With Quote
Old Dec 1, 18, 5:14 pm
  #244  
Marriott 5+ Badge
 
Join Date: Feb 2003
Location: Prospero
Programs: QF WP SPG PLAT
Posts: 1,423
Still haven't received any notification from Marriott and live in a jurisdiction where it is a legal requirement to inform potential victims as soon as a breach is found. Maybe I need to plug in my fax machine from 1998?
Markie likes this.
chad75 is offline  
Reply With Quote
Old Dec 1, 18, 5:19 pm
  #245  
 
Join Date: Apr 2014
Programs: UA 1K, AA Gold, Marriott/SPG Plat, Hyatt Explorist
Posts: 754
Originally Posted by RCyyz View Post
Has anyone actually received any proactive communication from Marriott yet? (I haven't.)
Not via email. Their app features the information prominently though.

Originally Posted by Antarius View Post
RDP on servers running EOL Operating Systems open to the public internet is not indicative of state actor sophistication.

it reeks of weapons grade incompetence.
How do you know that? Or are you speculating?
getagb is offline  
Reply With Quote
Old Dec 1, 18, 5:53 pm
  #246  
FlyerTalk Evangelist
 
Join Date: Sep 2014
Programs: AC SE100K, 1MM, NH, DL, AA, GE/Nexus, APEC..
Posts: 15,281
From WIRED Nov 30 2018

QUOTES:

"Some credit card numbers were also stolen as part of the breach, Marriott says, but the company did not provide an initial estimate of how many were taken. The credit card numbers were encrypted with the algorithm AES-128—a reasonably robust choice—but Marriott says the attackers may have also compromised the decryption keys needed to unlock the data.

All in all, it's not a great situation.......

....Breach response experts told WIRED on Friday that the sheer amount of time the attackers had inside the system—four years in all—likely made the breach much worse than it otherwise might have been. Time gives attackers the ability to chip away at defenses, or simply learn more about a system to understand where the valuable data is. Even with encrypted data, like the credit card numbers in this case, an attacker with enough access could steal the decryption keys, or swipe sensitive data before it ever has a chance to be encrypted in the first place. Either scenario seems possible, given the details Marriott has released so far.

.....Marriott says its own digital systems were not affected, only the Starwood side. Some penetration testers and network breach responders speculated to WIRED on Friday that Marriott's acquisition of Starwood may have played a role in delaying detection if the companies were distracted by the larger topic of brokering the deal.

"It's not clear whether the attacker already had access through Starwood before the merger, or whether Marriott had a copy of the database for evaluation purposes and due diligence and lost control of it there," says Jake Williams, founder of the penetration testing and incident response firm Rendition Infosec. "I can't believe that the merger wasn't a contributing factor in the breach."


Full article

https://www.wired.com/story/marriott...tect-yourself/
itsaboutthejourney likes this.
24left is offline  
Reply With Quote
Old Dec 1, 18, 6:22 pm
  #247  
 
Join Date: Jul 2005
Posts: 1,048
https://www.marketwatch.com/story/ma..._share_twitter


Marriott’s Starwood breach raises questions about meeting SEC standards for cybersecurity disclosure
Published: Nov 30, 2018 2:06 p.m. ET



Quote from Article (use link to read the full articles): Marriott didn’t acquire Starwood until 2016 but said the hacker may have been accessing data since 2014

"On Friday Marriott International, the world’s largest hotel company, told the public that a data breach in its Starwood reservation system may have exposed personal information of up to 500 million guests and has been going on since 2014."

Last edited by hhoope01; Dec 2, 18 at 5:47 am Reason: Against FT rules to post full copy of published articles.
jr1202sr is offline  
Reply With Quote
Old Dec 1, 18, 6:45 pm
  #248  
 
Join Date: Apr 2018
Programs: Marriott Lifetime Titanium, American Airlines Platinum, Hertz President's Circle
Posts: 31
This is absolutely insane. I've been hit by all the big breaches - Home Depot, Target, Wendys, Equifax, etc. and now this. Since I've stayed at Starwoods internationally, they almost certainly have my passport number as well.

Here's to hoping that the EU hits them with the full 4% penalty under GDPR and the US hauls their execs before Congress. I won't hold my breath.
OldSchoolConsultant is offline  
Reply With Quote
Old Dec 1, 18, 7:04 pm
  #249  
FlyerTalk Evangelist
 
Join Date: Jul 2003
Location: Florida
Posts: 26,947
I am convinced this is not for economic gain. Else it would not be going on for more than 4 years and not large scale credit card frauds (anyone remembers Target breach? Several banks sued Target and they settled subsequently).

The moment I read about the news, the first thing crossed my mind was a certain state which did it for unspoken purposes. As the country's people often say, "Dear, you understand that."
C17PSGR and kennycrudup like this.
Happy is offline  
Reply With Quote
Old Dec 1, 18, 7:08 pm
  #250  
 
Join Date: Apr 2003
Location: DEN/BDL/LGA/HPN
Programs: Marriott Plat Premier; AA EXP 2MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 4,824
Originally Posted by OldSchoolConsultant View Post
This is absolutely insane. I've been hit by all the big breaches - Home Depot, Target, Wendys, Equifax, etc. and now this. Since I've stayed at Starwoods internationally, they almost certainly have my passport number as well.

Here's to hoping that the EU hits them with the full 4% penalty under GDPR and the US hauls their execs before Congress. I won't hold my breath.
Here's to hoping Congress asks representatives of the country that did this to testify. Your outrage may be misdirected.
kennycrudup likes this.
C17PSGR is offline  
Reply With Quote
Old Dec 1, 18, 7:11 pm
  #251  
 
Join Date: Oct 2009
Programs: AC, DL, Marriott, SPG, Fairmont, Best Western
Posts: 1,707
I edited the wiki to specify that the free Kroll WebWatcher service provided by Marriott is NOT REAL CREDIT MONITORING. It is merely an "internet scanner" that searches the dark web for data that the consumer provides. It does NOT provide free access to credit reports, scores and change alerts as detained by the credit bureaus (Equifax, TransUnion, Experian).

Marriott cheapening/stingying out and not paying/providing real credit monitoring is beyond lame and despicable. Many other big companies provided real credit monitoring when they incurred data breaches.
MasterGeek is offline  
Reply With Quote
Old Dec 1, 18, 7:37 pm
  #252  
 
Join Date: Apr 2003
Location: DEN/BDL/LGA/HPN
Programs: Marriott Plat Premier; AA EXP 2MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 4,824
Originally Posted by MasterGeek View Post
I edited the wiki to specify that the free Kroll WebWatcher service provided by Marriott is NOT REAL CREDIT MONITORING. It is merely an "internet scanner" that searches the dark web for data that the consumer provides. It does NOT provide free access to credit reports, scores and change alerts as detained by the credit bureaus (Equifax, TransUnion, Experian).

Marriott cheapening/stingying out and not paying/providing real credit monitoring is beyond lame and despicable. Many other big companies provided real credit monitoring when they incurred data breaches.
Keep in mind this is first aid ... an immediate response for Kroll.

The other data breaches didn't result in immediate credit monitoring the first day. Marriott likely has a cyber insurance policy that may be in control of this response. The other issue in this case is that this is a rare international data breach. Many of the credit monitoring countries avoid the EU.
C17PSGR is offline  
Reply With Quote
Old Dec 1, 18, 7:47 pm
  #253  
 
Join Date: Oct 2009
Programs: AC, DL, Marriott, SPG, Fairmont, Best Western
Posts: 1,707
Originally Posted by C17PSGR View Post
Many of the credit monitoring countries avoid the EU.
It's not that the credit monitoring services avoid countries other than US/Canada/UK. It's because in most countries the "credit bureau" system (aka. banks colluding by exchanging data of their clients) simply doesn't exist. Want a credit card ? "You gotta come in the branch to apply in person and show some payslips and last 3 most recent bank statement showing you can afford to pay. We don't know your dealings with other banks"
EuropeanPete likes this.
MasterGeek is offline  
Reply With Quote
Old Dec 1, 18, 7:55 pm
  #254  
A FlyerTalk Posting Legend
 
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.021MM; Bonvoy Au-197; PCC Elite+; CWC Au-197; CCC Elite; WoH Dis
Posts: 48,821
Originally Posted by C17PSGR View Post
Here's to hoping Congress asks representatives of the country that did this to testify.
You're making a big (unfounded) assumption.
GUWonder and kyanar like this.
mahasamatman is offline  
Reply With Quote
Old Dec 1, 18, 8:10 pm
  #255  
 
Join Date: Oct 2009
Programs: AC, DL, Marriott, SPG, Fairmont, Best Western
Posts: 1,707
Which phone number or email address should I use to contact Marriott to claim compensation. Is Marriott going to take responsibility for their carelessness in handling our personal information and issue a proper and material apology ? A Category 8 7-night certificate would be appropriate. Alternatively, Marriott's CEO could make up for the shame brought on his company by kneeling directly on the ground and prostrating himself on live TV to apologize to customers (as in Japanese custom).
MasterGeek is offline  
Reply With Quote

Thread Tools
Search this Thread