Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Mar 13, 19, 12:09 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Dec 1, 18, 8:38 pm
  #256  
 
Join Date: Oct 2009
Location: Maine
Posts: 417
Originally Posted by MasterGeek View Post
Which phone number or email address should I use to contact Marriott to claim compensation. Is Marriott going to take responsibility for their carelessness in handling our personal information and issue a proper and material apology ? A Category 8 7-night certificate would be appropriate. Alternatively, Marriott's CEO could make up for the shame brought on his company by kneeling directly on the ground and prostrating himself on live TV to apologize to customers (as in Japanese custom).
Lol on the contrary, maybe you should compensate Marriott as a gesture of thanks for uncovering this dumpster fire that spg created and allowed to happen for so long?
kennycrudup likes this.
swintec is offline  
Reply With Quote
Old Dec 1, 18, 9:29 pm
  #257  
 
Join Date: Nov 1999
Location: YYF/PEI/MZL/EZE
Programs: AS MVP/AC E50K/SPG-Marriott Titanium/Accor-FPC Plat/IHG Gold/HHDiamond/Hyatt Exp
Posts: 4,840
Originally Posted by JBord View Post
The SPG bashing is going on because the hack happened under SPG's watch, not Marriott's. Marriott was the one who detected the hack. There's a whole lot of "kill the messenger" going on in this thread. But you're right that it's Marriott's issue now since they bought SPG's hacked reservation system.

I wonder if you'd be calling for lawsuits and fines if this had been discovered in 2015. Again, the only purpose this serves is harming the company that discovered and is trying to fix the data breach that occurred in a company that acquired prior to the acquisition. No one likes when this happens, but it's hardly abnormal these days. I'd much rather see Marriott use the money to help the affected customers in some way than to pay a fine to the government...and no, I don't think both have to happen. Should the company be fined for a problem it didn't cause? If I buy a house and then find a dead body in the walls, should I be charged with murder?
C'mon. Being a Marriott defender is one thing, but Marriott detected the hack 2 days after the takeover, 2 months or 2 years?

I'm sorry but Marriott is in now way ahead of the curve on anything IT-related.

As a legacy SPG Platinum w/ Ambassador, yes I am angry that this could go on for so long, but in its typical bumbling way with IT-related issues the big parent company cannot even bother to send out an email with an update to a member such as myself.
kyanar likes this.
PointWeasel is offline  
Reply With Quote
Old Dec 1, 18, 11:07 pm
  #258  
 
Join Date: Dec 2007
Location: Body in Downtown YYZ, heart and mind elsewhere
Programs: UA 50K, refugee from AC E50K.
Posts: 4,922
Originally Posted by chad75 View Post
Still haven't received any notification from Marriott and live in a jurisdiction where it is a legal requirement to inform potential victims as soon as a breach is found. Maybe I need to plug in my fax machine from 1998?
Originally Posted by PointWeasel View Post
As a legacy SPG Platinum w/ Ambassador, yes I am angry that this could go on for so long, but in its typical bumbling way with IT-related issues the big parent company cannot even bother to send out an email with an update to a member such as myself.
@chad75 raises a good point. We all need to plug in fax machines so Marriott can notify us.
kyanar likes this.
RCyyz is offline  
Reply With Quote
Old Dec 2, 18, 12:07 am
  #259  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 86,721
Originally Posted by C17PSGR View Post
Naah. The source of this is an easy layup.

Lets see ... someone planted a system for mining data in 2014. The data they pulled had the ability to track who and where, but the credit card data was potentially encrypted. Certainly in the past four years, if this was done for economic purposes, Amex would have noticed a pattern of fraud tied to SPG Amex holders since they would have been disproportionately impacted by any fraud aspects of that. Seen any reports on here from SPG Amex holders ... saying they were victims of fraud? Many of us have monitoring services that detect identity information being sold on the dark web. Again ... seen any reports of that from legacy SPG folks? The lack of selling that information again suggests a state actor.

And then, they've been mining the data since 2014. Most of the economic data breaches are usually hit and run, rather than extended mining.

The outrage here at the legacy SPG folks should really be focused on a certain state actor.
Some of the extended data mining breaches pursued for financial gain and done using software plants — or even sometimes using hardware plants — are a direct pursuit by criminal parties that don’t qualify as state actors (nor even as state-sponsored actors).

Hit and run data theft is only part of the picture of how some non-state actor criminals engage in data theft.

This doesn’t exclude the possibility of a state actor or state-sponsored actors being the data thief in this situation, but there is definitely no certainty that extended data theft can only be done by state actors.

A lot of illegally acquired data about real persons and their accounts is stored and sold as encrypted databases that won’t come up with paid darkweb searches even when marketed and sold via the darkweb means. It’s not unusual for criminal to criminal transactions of this sort to involve one party revealing only a very tiny sample of all the stolen data and then sending over the whole stolen data by sending over the decryption elements after being paid in full. It’s also not all that unusual for some criminals to try to blackmail targets — corporate ones too —using stolen data as a means to try to negotiate over payment terms and/or to collect payment for the data.

And even as this could have been done by a state actor or state-sponsored actor, that doesn’t absolve Marriott of responsibility for the data breach under Marriott’s “watch” too. If anything, there are elements of Marriott’s response to the data breach that invite questions about Marriott’s technology competency and maybe even its legal competency.

Trying to hide behind “.... but it was a sophisticated state actor” line only goes so far. Especially when Marriott has been holding back in ways that may be questionable.
kyanar likes this.

Last edited by GUWonder; Dec 2, 18 at 1:11 am
GUWonder is online now  
Reply With Quote
Old Dec 2, 18, 2:27 am
  #260  
 
Join Date: Feb 2008
Location: In the air
Programs: BA Gold, Marriott Amb, Hilton Diamond, AMEX Plat
Posts: 5,505
Originally Posted by swintec View Post
Lol on the contrary, maybe you should compensate Marriott as a gesture of thanks for uncovering this dumpster fire that spg created and allowed to happen for so long?
We can play legacy SPG vs. Marriott games here all we want, but there is no doubt that Marriott has the legal and customer responsibility now as they are SPG.

While I don’t think it’s realistic that everyone who ever made a booking gets a $20,000 hotel stay in compensation, I am rather unhappy that as an Ambassador client I’ve not yet received a notification email.
C17PSGR likes this.
EuropeanPete is offline  
Reply With Quote
Old Dec 2, 18, 2:30 am
  #261  
 
Join Date: Nov 2017
Programs: United Gold, BA Exec Club, Via Rail
Posts: 2,364
Originally Posted by EuropeanPete View Post
While I don’t think it’s realistic that everyone who ever made a booking gets a $20,000 hotel stay in compensation, I am rather unhappy that as an Ambassador client I’ve not yet received a notification email.
Seems to me that they were trying to be diplomatic with their ambassador
j2simpso is offline  
Reply With Quote
Old Dec 2, 18, 2:42 am
  #262  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,094
Originally Posted by GUWonder View Post
And even as this could have been done by a state actor or state-sponsored actor, that doesn’t absolve Marriott of responsibility for the data breach under Marriott’s “watch” too. If anything, there are elements of Marriott’s response to the data breach that invite questions about Marriott’s technology competency and maybe even its legal competency.

Trying to hide behind “.... but it was a sophisticated state actor” line only goes so far. Especially when Marriott has been holding back in ways that may be questionable.
The bottom line is that if a business chooses to build a data network yet doesn't realize what is happening on that data network, they are just plain incompetent. In this case perhaps criminally incompetent. That said, very few non-Technology businesses are fully aware of what is happening on their data networks. This is like computer viruses. Businesses freely choose to give their non-technical staff a computer that can access the Public Internet. What did you think would happen?

There are tools and methods out there that could have spotted this issue long ago. But Starwood, then Marriott, chose to not spend the necessary funds and effort to manage their networks properly.
stimpy is offline  
Reply With Quote
Old Dec 2, 18, 2:44 am
  #263  
 
Join Date: Nov 2015
Location: BNE
Programs: NZ*G, QF Bronze, VA Red
Posts: 518
Originally Posted by EuropeanPete View Post
While I don’t think it’s realistic that everyone who ever made a booking gets a $20,000 hotel stay in compensation, I am rather unhappy that as an Ambassador client I’ve not yet received a notification email.
You don't need to mention the part about being an Ambassador client. Your level in the loyalty program should have absolutely nothing to do with the expectation that Marriott fulfil its legal obligation to notify customers in a timely manner of the data breach. And no, some website somewhere on the internet run by a reputation management company does not count. As soon as the information was known, Marriott should have tasked their marketing team with using that giant email database they have to notify any and all affected customers. But they didn't. They got straight in touch with Kroll and told them "manage the reputational damage". Not acceptable. The company has failed the customers both ethically and legally.
C17PSGR likes this.
kyanar is offline  
Reply With Quote
Old Dec 2, 18, 3:08 am
  #264  
 
Join Date: Feb 2008
Location: In the air
Programs: BA Gold, Marriott Amb, Hilton Diamond, AMEX Plat
Posts: 5,505
Agreed, but my thinking of referencing my Ambassador was that it could be conceivable that the delay in notifying people was one of incompetence given all the problems that Marriott has with basic email.

However, for those of us with Ambasadors it would have been trivial to get your Ambassadors to manually email each of us and be ready for personal responses. It is a matter of indifference that this has not yet been done.
EuropeanPete is offline  
Reply With Quote
Old Dec 2, 18, 5:51 am
  #265  
 
Join Date: Jun 2012
Location: CLT
Programs: Marriott Plat, AA Gold
Posts: 1,002
So should people that haven’t stayed at W, Sheraton or Westin not be effected?
GoPhils is offline  
Reply With Quote
Old Dec 2, 18, 5:53 am
  #266  
 
Join Date: Feb 2008
Location: In the air
Programs: BA Gold, Marriott Amb, Hilton Diamond, AMEX Plat
Posts: 5,505
Originally Posted by GoPhils View Post
So should people that haven’t stayed at W, Sheraton or Westin not be effected?
You shouldn't be affected so long as you've not stayed in any Starwood hotels since 2014 (possibly excepting Design Hotels).
EuropeanPete is offline  
Reply With Quote
Old Dec 2, 18, 6:00 am
  #267  
 
Join Date: Nov 2011
Location: Virginia
Programs: Marriott Gold, HHonors Gold, IHG Platinum
Posts: 152
While I would be happy to receive a personalized email notification, I can also understand the challenge faced by Marriott in sending that out to 500 million guests. Can you imagine the potential liability for notifying someone that their information had been hacked and later turn out they were not?

Some people may incur expenses in changing documents and information once they are told their information had been hacked. I would hate to go through the process of changing the passport and credit cards if my information had not been hacked. Although I recognize the odds, 500 million guests!

I would rather get an accurate personalized notification that I can act on, than a vague notification that has nothing new beyond what has been in the news.
EdofFX is offline  
Reply With Quote
Old Dec 2, 18, 6:24 am
  #268  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 86,721
Originally Posted by EuropeanPete View Post
You shouldn't be affected so long as you've not stayed in any Starwood hotels since 2014 (possibly excepting Design Hotels).
Would that be “not booked at and not listed in a reservation” rather than “not stayed in”?
GUWonder is online now  
Reply With Quote
Old Dec 2, 18, 6:30 am
  #269  
A FlyerTalk Posting Legend
 
Join Date: Dec 2000
Location: Potomac Falls, VA
Programs: AA Plat 2MM, MR Gold, Avis Pref
Posts: 41,109
Originally Posted by EuropeanPete View Post
Agreed, but my thinking of referencing my Ambassador was that it could be conceivable that the delay in notifying people was one of incompetence given all the problems that Marriott has with basic email.

However, for those of us with Ambasadors it would have been trivial to get your Ambassadors to manually email each of us and be ready for personal responses. It is a matter of indifference that this has not yet been done.
You're special when it comes to upgrades as an ambassador
You're no more special than the guy with who signed up for one stay during the infraction period

Last edited by yosithezet; Dec 5, 18 at 2:37 am Reason: Removed Rule 12.2 violation
TrojanHorse is offline  
Reply With Quote
Old Dec 2, 18, 7:04 am
  #270  
 
Join Date: Feb 2008
Location: In the air
Programs: BA Gold, Marriott Amb, Hilton Diamond, AMEX Plat
Posts: 5,505
Originally Posted by TrojanHorse View Post
You're special when it comes to upgrades as an ambassador
You're no more special than the guy with who signed up for one stay during the infraction period

Ambassador means bupkis in this instance - get over yourself
Clearly nobody has received any notification yet, and while there may have been (inexcusable, but unsurmountable) problems in emailing everyone, it definitely would have been possible to have had Ambassadors reach out to their guests based on their knowledge of stay patterns and contact details.

Last edited by yosithezet; Dec 5, 18 at 2:38 am Reason: Removed FT Rule 12.2 violation.
EuropeanPete is offline  
Reply With Quote

Thread Tools
Search this Thread