Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Apr 4, 19, 10:42 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Nov 30, 18, 5:11 am
  #16  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,389
Originally Posted by MePlatPremier View Post


Yeah! Just like pre-acquisition SPG caught it...


Doesn't change the fact that mergers/acquisitions draw down IT resources in an environment where even the bandwidth to apply such resources may be challenged by the needs of management pursuing an M&A and are challenged when it comes to actual integration and delivering to the cost-cut targets the M&A peddlers sold to financial market participants. Absent the Marriott acquisition of Starwood, the data breaches almost certainly wouldn't have been as bad as with the Marriott acquisition of Starwood.

This has nothing to do with Starwood IT being better than Marriott IT or the other way around; it has to do with what happens in the real world of operational integration post-acquisition and what risks M&A activity create/exacerbate in that regard.

Originally Posted by Resonant Programmer View Post
I wonder if the post merger troubles led to this issue being identified.
It could be spun that way, but I doubt that a lot of Marriott IT employees are going to see a big bonus coming there way because of this issue being identified.

Originally Posted by stimpy View Post
Wow, what's going to happen in the EU with their strict new GDRP rules? Or as this predates that law will they get out of it?
The data breaches continued to take place even after GDPR became the proverbial law of the land in the EU. So just because a breach method commenced prior to GDPR becoming the law of the land doesn't free Marriott (inclusive of Starwood) from its GDPR compliance requirements for breaches that continued after GDPR became the law of the land.

Last edited by GUWonder; Nov 30, 18 at 5:24 am
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 5:14 am
  #17  
 
Join Date: Jul 2005
Posts: 1,048
Ridiculous to say this Predates Marriott ownership of Starwood Soley. They day they Merged is the Day Marriott was responsible for Starwood (and any legacy issues). That is why you perform DD before you make a Purchase the size of Starwood.

Marriott has failed to integrate the 2 companies in a timely manner and in a way that doesn't impact their customers. This is just another mistake in the long list.
jr1202sr is offline  
Reply With Quote
Old Nov 30, 18, 5:15 am
  #18  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,194
Originally Posted by GUWonder View Post
The data breaches continued to take place even after GDPR became the proverbial law of the land in the EU. So just because a breach method commenced prior to GDPR becoming the law of the land doesn't free Marriott (inclusive of Starwood) from its GDPR compliance requirements for breaches that continued after GDPR became the law of the land.
True. It makes you wonder why Marriott didn't do a thorough security audit before the merger? They could have spent $1m on an audit and saved much more in fines that may arise from this breach.
stimpy is offline  
Reply With Quote
Old Nov 30, 18, 5:17 am
  #19  
 
Join Date: Oct 2009
Location: ATL
Programs: DL PM 1 Mil Miler, HZ PC, Marriott LT PM, Hilton DM
Posts: 266
Originally Posted by jr1202sr View Post
ARNE Should resign. He has simply failed to deliver in this MERGER. Someone is going to sue the .... out of Marriott over this. Total cost to Marriott is going to be Material.
Yes the merger integration has been mess but this one has been going since 2014, that's before Marriott even announced they were buying Starwood. The breach was probably found when they were merging computer systems.
kennycrudup likes this.
estedman is offline  
Reply With Quote
Old Nov 30, 18, 5:23 am
  #20  
 
Join Date: Nov 2008
Programs: SPG-Plat, Hilton-Diamond, Club Carlson-Silver, Cathay-Diamond, Virgin-Gold
Posts: 1,650
I am not a fan of Marriott and certainly been vocal about how poor the merger has been and the leadership failures of Marriott in the process. It has been pretty much a disaster and a continuing one at that!

That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.

It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.

I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!

That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
LH738, kennycrudup, KRSW and 2 others like this.
UKTraveller4Fun is online now  
Reply With Quote
Old Nov 30, 18, 5:25 am
  #21  
 
Join Date: Aug 2011
Location: MIA
Programs: DL Plat, AA EXP, UA Silver, Marriott LTT, HH Diamond (Aspire)
Posts: 362
Now I know where my still missing SPG points are

A hacker stole them... wasn’t Marriott’s fault after all.
GUWonder and ronaldko like this.
flying_geek is offline  
Reply With Quote
Old Nov 30, 18, 5:32 am
  #22  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,389
Originally Posted by stimpy View Post
True. It makes you wonder why Marriott didn't do a thorough security audit before the merger? They could have spent $1m on an audit and saved much more in fines that may arise from this breach.
I find that BODs and C-suite types are more willing to gamble on spending bigger bucks per outside finance players for hire and for sales activities than on cutting back a little there and on themselves so as to instead spend more on in-house IT or even outsourced IT-related purposes.

Companies with retail customers of sorts haven't yet gotten around to really caring all that much about the privacy of all of their customers, and the companies seem to still have a sort of willingness to take the lumps from IT-related failures and arising data breaches rather than splurging to avoid it going wrong at all. Maybe the GPDR-related fines will change that game, but even in Europe GDPR compliance is still a work in progress and it seems that GDPR is sort of another fad of the day for professional service firms/types to make more money while delivering very little that is concrete other than some forms for people to fill out or more fine print to read/skim/skip.
KRSW and 24left like this.
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 5:32 am
  #23  
 
Join Date: Aug 2018
Posts: 424
Originally Posted by stimpy View Post
True. It makes you wonder why Marriott didn't do a thorough security audit before the merger? They could have spent $1m on an audit and saved much more in fines that may arise from this breach.
I’m sure they did due diligence during the acquisition process but either it wasn’t enough or this bug was extremely well disguised. Regardless, Starwood was most probably also contractually obligated to divulgr any materially relevant information to the acquisition, which it also failed to do.

What this comes up to is that by buying a derelict company with an undisclosed/unknown serious data breach Marriott bought itself a tremendous potential liability.

The EU fines alone may get into the hundreds of millions.

SPG has always had a pretty weak IT, especially in what relates to data protection. A FT thread from a few years ago (can’t bother to search it) documents a bug that allowed easy access to anyone’s reservation details just by making minor modifications to the web address and how it took Starwood several weeks to correct that after the bug was made public.
MePlatPremier is online now  
Reply With Quote
Old Nov 30, 18, 5:35 am
  #24  
 
Join Date: Dec 2014
Location: On the Road Again
Programs: UA 1K MM, HH Diamond, Marriott Life time Titanium Elite (whateverthat is)
Posts: 677
Originally Posted by UKTraveller4Fun View Post
I am not a fan of Marriott and certainly been vocal about how poor the merger has been and the leadership failures of Marriott in the process. It has been pretty much a disaster and a continuing one at that!

That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.

It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.

I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!

That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
Well said!
Even with no transactions with spg (ever) I will monitor my cards a little closer and I would still not be surprised to receive an invitation to do so again.
Dublin_rfk is offline  
Reply With Quote
Old Nov 30, 18, 5:36 am
  #25  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,389
Originally Posted by UKTraveller4Fun View Post
I am not a fan of Marriott and certainly been vocal about how poor the merger has been and the leadership failures of Marriott in the process. It has been pretty much a disaster and a continuing one at that!

That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.

It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.

I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!

That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
Marriott deserves its lumps on this too. Consider what Marriott was eagerly pursuing with regard to Starwood "overhead" and what that does to the IT skillset of a company and those most familiar with the systems involved. And even before that, what about Marriott's due diligence for investigating and figuring out its risk/exposure from potential privacy protection breakdowns at a target company it eagerly wanted to swallow whole? "You are what you eat" is something that M&A pursuers should consider when trying to put food on the plate.

What I'd like to see Marriott do is the following: come out and note specificially how Marriott found out about this breach that was running into the fall of this year.
24left likes this.
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 5:39 am
  #26  
Hilton Contributor BadgeAccor 10+ Badge
 
Join Date: Nov 2012
Location: Rhineland-Palatinate
Programs: OW Sapphire (BA), *A Gold (A3), Le Club Accor Silver, HHonor Gold
Posts: 2,107
Are we talking about 500 millions unique persons ? If so this might be the largest data breach in history no ? This is 6.5% of the globe population.
fransknorge is online now  
Reply With Quote
Old Nov 30, 18, 5:42 am
  #27  
 
Join Date: Jun 2002
Location: Formerly known as attorney28
Programs: BA Gold, LH SEN, LC Aur, Hyatt Dmd, Mar/SPG "Lifetime" Plat, HH Dmd, IC Amb, Sixt Dmd
Posts: 6,413
How come they waited so long to inform about this?
Football Fan is offline  
Reply With Quote
Old Nov 30, 18, 5:43 am
  #28  
 
Join Date: Dec 2014
Location: On the Road Again
Programs: UA 1K MM, HH Diamond, Marriott Life time Titanium Elite (whateverthat is)
Posts: 677
Originally Posted by fransknorge View Post
Are we talking about 500 millions unique persons ? If so this might be the largest data breach in history no ? This is 6.5% of the globe population.
More likely 500 millions of unique reservation transactions. So some of us have many hundreds of entries to the 'you're screwed' lottery.
Dublin_rfk is offline  
Reply With Quote
Old Nov 30, 18, 5:43 am
  #29  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,389
Not 500 million unique persons. Way less than that is my suspicion. But hotel data systems have been prime targets for exploitation by criminal outfits and for governmental actors.

Originally Posted by MePlatPremier View Post


I’m sure they did due diligence during the acquisition process but either it wasn’t enough or this bug was extremely well disguised.
The adequacy/inadequacy of such due diligence is all upon Marriott. Before and after its acquisition closed.
24left likes this.
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 5:43 am
  #30  
 
Join Date: Mar 2010
Posts: 1,032
Originally Posted by flying_geek View Post
A hacker stole them... wasn’t Marriott’s fault after all.
Also it is now obvious that hackers changed Marriott Rewards new name to Bonvoy because no one at Marriott would come up with a new Program name that is so ridiculous.
HHonors OUTSIDER is offline  
Reply With Quote

Thread Tools
Search this Thread