Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Mar 14, 2019, 3:09 pm
#511
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
And, the practical issue is that this data was stolen a while ago but there is no evidence of any impact because it was a state actor. Another ID monitoring coverage (not sure how many I have at the moment) won't do any good and is a waste of time and money for everyone. In contrast, when the Home Depot and Target data breaches took place, it quickly became evident that credit cards were being used. I had to deal with the hassle of getting new credit cards, updating automatic payment accounts, reporting charges that weren't mine. When a couple of the different email systems were hacked (Yahoo), I had to update and change passwords/logins. In contrast, none of that has happened here. The difference is that a sophisticated state actor has more data points in their system on where I was at a particular date. I won't get into concerns people may have on that, or a discussion of the intelligence value of that information, but what can any of these services do about that?
And if you want to "lock" your credit, you have the right to do that by contacting the major credit reporting agencies. It's free. Plus, you can get your credit report for free once a year from each of the major credit reporting agencies.
Mar 14, 2019, 3:13 pm
#512
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
Fair enough ... not sure that a Court will agree though, particularly if the thief was a sophisticated state actor with unlimited resources.
There have been dozens of major data breaches. I don't think this one is any more "serious" than the others. Do you know of any consumer company that has offered more than a year of coverage? Do you of any business who has used Lifelock in a data theft?
And, the practical issue is that this data was stolen a while ago but there is no evidence of any impact because it was a state actor. Another ID monitoring coverage (not sure how many I have at the moment) won't do any good and is a waste of time and money for everyone. In contrast, when the Home Depot and Target data breaches took place, it quickly became evident that credit cards were being used. I had to deal with the hassle of getting new credit cards, updating automatic payment accounts, reporting charges that weren't mine. When a couple of the different email systems were hacked (Yahoo), I had to update and change passwords/logins. In contrast, none of that has happened here. The difference is that a sophisticated state actor has more data points in their system on where I was at a particular date. I won't get into concerns people may have on that, or a discussion of the intelligence value of that information, but what can any of these services do about that?
And if you want to "lock" your credit, you have the right to do that by contacting the major credit reporting agencies. It's free. Plus, you can get your credit report for free once a year from each of the major credit reporting agencies.
There have been dozens of major data breaches. I don't think this one is any more "serious" than the others. Do you know of any consumer company that has offered more than a year of coverage? Do you of any business who has used Lifelock in a data theft?
And, the practical issue is that this data was stolen a while ago but there is no evidence of any impact because it was a state actor. Another ID monitoring coverage (not sure how many I have at the moment) won't do any good and is a waste of time and money for everyone. In contrast, when the Home Depot and Target data breaches took place, it quickly became evident that credit cards were being used. I had to deal with the hassle of getting new credit cards, updating automatic payment accounts, reporting charges that weren't mine. When a couple of the different email systems were hacked (Yahoo), I had to update and change passwords/logins. In contrast, none of that has happened here. The difference is that a sophisticated state actor has more data points in their system on where I was at a particular date. I won't get into concerns people may have on that, or a discussion of the intelligence value of that information, but what can any of these services do about that?
And if you want to "lock" your credit, you have the right to do that by contacting the major credit reporting agencies. It's free. Plus, you can get your credit report for free once a year from each of the major credit reporting agencies.
Mar 14, 2019, 3:44 pm
#513
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
I agree with all of your points, the fact it was stolen by a state actor removed some of the risk in many ways. Still, this focus on defending the actions of a company that has been so opaque about the whole event, based on who done it, I don't get that at all. Marriott's handling of this is to me more of a signal of their culture and ethics, and that is my primary complaint.
But, I agree, like most things since 8/18, communication from Marriott has been extremely poor and customer engagement has been non-existent. As I mentioned in another thread, I think Arne is overly focused on gaming -- probably because he read a couple of blogs once talking about how to get nights for cheap meetings, etc. Planning for the obvious expected doubling of calls as well.
Objectively, some of the issues are blown out of proportion but part of the reason for that is that Arne is above it all. The issues, temporary, perceived, or real, might be less of an issue if Arne was out there talking to people, rather than driving his Prius, going to Ted Talks, and crunching numbers. Lets just say he's more likely to be the topic of an HBR crisis management article than the author ...
Mar 14, 2019, 4:51 pm
#514
Suspended
Join Date: Oct 2004
Location: Bay Area
Programs: DL SM, UA MP.
Posts: 12,729
Hotels in many countries scan or copy my passport. I don't like it but its local law, what can I do?
According to Arne's testimony before Congress, legacy Marriott kept it at the hotel level. It seems like the current reservation system does as well. The downside of that is that the IT security for a Sotitel in Lima is questionable and accessible to lots of people. On the other hand, there's no great collection of data. Legacy SPG kept it on the overall system which provides greater security (although preventing a highly sophisticated state actor is always a challenge) but has a great collection of data.
As a practical matter, if you've traveled to Hong Kong, the state actor already absolutely has your passport info. Similarly, I presume if you've traveled to South America, much of Asia, Africa, the Middle East, and some countries in Europe, the state actor has it from there as well.
According to Arne's testimony before Congress, legacy Marriott kept it at the hotel level. It seems like the current reservation system does as well. The downside of that is that the IT security for a Sotitel in Lima is questionable and accessible to lots of people. On the other hand, there's no great collection of data. Legacy SPG kept it on the overall system which provides greater security (although preventing a highly sophisticated state actor is always a challenge) but has a great collection of data.
As a practical matter, if you've traveled to Hong Kong, the state actor already absolutely has your passport info. Similarly, I presume if you've traveled to South America, much of Asia, Africa, the Middle East, and some countries in Europe, the state actor has it from there as well.
it's one thing to scan it.
But I'm not sure they retain it for any length of time, at least the small hotels. I doubt they keep copies of passports for every guest they've had indefinitely. And they can't get hacked if they never save it to some online database.
Whereas a big chain would digitize it and then save it to their database, where it could promptly get hacked.
Mar 14, 2019, 5:39 pm
#515
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
it's one thing to scan it.
But I'm not sure they retain it for any length of time, at least the small hotels. I doubt they keep copies of passports for every guest they've had indefinitely. And they can't get hacked if they never save it to some online database.
Whereas a big chain would digitize it and then save it to their database, where it could promptly get hacked.
But I'm not sure they retain it for any length of time, at least the small hotels. I doubt they keep copies of passports for every guest they've had indefinitely. And they can't get hacked if they never save it to some online database.
Whereas a big chain would digitize it and then save it to their database, where it could promptly get hacked.
Mar 14, 2019, 7:36 pm
#516
FlyerTalk Evangelist
Join Date: Jan 2007
Location: BOS/UTH
Programs: AA LT PLT; QR GLD; Bonvoy LT TIT
Posts: 12,753
Like the good umpire, I calls 'em like I sees 'em. I'm far from an apologist.Are other companies paying for a year of LifeLock in similar situations?
Agreed.
Mar 14, 2019, 8:47 pm
#517
FlyerTalk Evangelist
Join Date: Nov 2009
Location: Northeast Kansas | Colorado Native
Programs: Amex Gold/Plat, UA *G, Hyatt Globalist, Marriott LT Gold, NEXUS, TSA Disparager Unobtanium
Posts: 21,603
Looks like I’m unfortunately in the club of those who got hacked. Received a text a few minutes ago with a confirmation # for a stay tonight in the Chicago area. I tried to look at the confirmation # on the Marriott website and my account will not let me login. When I tried to reset the password, the email address on file was mostly the same as mine, though the domain was completely different.
Mar 20, 2019, 5:53 am
#518
Join Date: Jun 2005
Location: KSA
Programs: BA LTG, UA Gold, EK Silver, Hilton LT Diamond, Marriott LT Titanium, IHG Plat
Posts: 1,242
Marriott first revealed they had a massive data breach on November 30, 2018, a breach they were aware from beginning September 8,2018.
Supposedly Marriott began to notify customer ONLY by email, because that's such a reliable method, and then they used a moronic email address that they didn't own the domain name of. I never got that email, probably because my spam filter blocked it since it did not come from marriott.com
Then the company tells us they will cover 1 years subscription to Kroll. One year, really? For such a major breach?
Marriott isn't providing coverage with LifeLock, which they could have done and which would have shown far greater corporate responsibility.
Then, it takes Marriott MONTHS to come up with a way to find out if your data was breached, and the only way you can do that is to provide all of the sensitive information to a third-party company on an web form...brilliant. I mean, seriously, you Jay Leno couldn't write this stuff.
Then, that company takes all your personal information and searches the data base to come up with a report to you, (which you are never given any kind of time frame of when that might occur). It turns out it takes nearly a month.
Then once again, you get another email with a link to the report. The address used to send that email is also blocked my most spam filters.
Then you get the report, and I for one am even more astonished at the data that's been compromised. About the only piece of identifying information not stolen from me is my place of birth, and social security number! And the best Marriott is doing is a one-year subscription to Kroll service? This whole thing goes beyond egregious, it heads right in the direction of criminal, I'm not a prosecutor, but I'll be curious what happens when this gets out. I find it quite convenient, that these reports didn't go out to consumers until AFTER Sorenson's testimony on the Hill, and additional fact I'm sure investigators will be find just a little too convenient.
This is my report:
Dear T,
We are in receipt of your inquiry regarding whether your personal data was involved in the recent
Starwood Guest Reservation Database security incident.
Based on the information you provided to us, we believe that your information was involved.
Following our analysis, we believe that the following information about you was involved in the
incident:
* Name
* Company Name
* Birthdate
* Birthday (Month and Day Only)
* Address Information
* Primary Email Address
* Primary Phone Number
* Other Phone Information
* Primary Fax Number
* Unencrypted Passport Number
* Encrypted Passport Number
* Passport Issuing Country
* Starwood Preferred Guest (SPG) Number
* Starwood Preferred Guest (SPG) Loyalty Status and Balances
* Guest Frequent Traveler Program Information
* Starwood Executive Traveler Number
* Guest Opt-In Preferences
* Email Communication Preferences
* Reservation Details
* Flight Information
* Central Starwood Unique Record Locator
* Registered Online Customer Indicator (Y/N)
* Returning Guest Indicator (Y/N)
* Employed at Starwood (Y/N)
* Record History Information
Where available in your country/region, Marriott is offering affected guests the opportunity to
enroll in a personal information monitoring service free of charge for one year. More information
about this service can be found at info.starwoodhotels.com.
If you have further questions or requests regarding this information, please contact us through this
portal. You will continue to have access to this request for the next 30 days.
Thank you.
Marriott Privacy Center
Supposedly Marriott began to notify customer ONLY by email, because that's such a reliable method, and then they used a moronic email address that they didn't own the domain name of. I never got that email, probably because my spam filter blocked it since it did not come from marriott.com
Then the company tells us they will cover 1 years subscription to Kroll. One year, really? For such a major breach?
Marriott isn't providing coverage with LifeLock, which they could have done and which would have shown far greater corporate responsibility.
Then, it takes Marriott MONTHS to come up with a way to find out if your data was breached, and the only way you can do that is to provide all of the sensitive information to a third-party company on an web form...brilliant. I mean, seriously, you Jay Leno couldn't write this stuff.
Then, that company takes all your personal information and searches the data base to come up with a report to you, (which you are never given any kind of time frame of when that might occur). It turns out it takes nearly a month.
Then once again, you get another email with a link to the report. The address used to send that email is also blocked my most spam filters.
Then you get the report, and I for one am even more astonished at the data that's been compromised. About the only piece of identifying information not stolen from me is my place of birth, and social security number! And the best Marriott is doing is a one-year subscription to Kroll service? This whole thing goes beyond egregious, it heads right in the direction of criminal, I'm not a prosecutor, but I'll be curious what happens when this gets out. I find it quite convenient, that these reports didn't go out to consumers until AFTER Sorenson's testimony on the Hill, and additional fact I'm sure investigators will be find just a little too convenient.
This is my report:
Dear T,
We are in receipt of your inquiry regarding whether your personal data was involved in the recent
Starwood Guest Reservation Database security incident.
Based on the information you provided to us, we believe that your information was involved.
Following our analysis, we believe that the following information about you was involved in the
incident:
* Name
* Company Name
* Birthdate
* Birthday (Month and Day Only)
* Address Information
* Primary Email Address
* Primary Phone Number
* Other Phone Information
* Primary Fax Number
* Unencrypted Passport Number
* Encrypted Passport Number
* Passport Issuing Country
* Starwood Preferred Guest (SPG) Number
* Starwood Preferred Guest (SPG) Loyalty Status and Balances
* Guest Frequent Traveler Program Information
* Starwood Executive Traveler Number
* Guest Opt-In Preferences
* Email Communication Preferences
* Reservation Details
* Flight Information
* Central Starwood Unique Record Locator
* Registered Online Customer Indicator (Y/N)
* Returning Guest Indicator (Y/N)
* Employed at Starwood (Y/N)
* Record History Information
Where available in your country/region, Marriott is offering affected guests the opportunity to
enroll in a personal information monitoring service free of charge for one year. More information
about this service can be found at info.starwoodhotels.com.
If you have further questions or requests regarding this information, please contact us through this
portal. You will continue to have access to this request for the next 30 days.
Thank you.
Marriott Privacy Center
Is there no legal firm starting a class action here ? surely there has to be some penalty or fine levied upon Marriott or do they just get away with it.
What about breach of GDPR......I'll certainly sign up to whatevers going but so far there seems nothing ?
Mar 20, 2019, 6:14 am
#519
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
I got the same thing...
Is there no legal firm starting a class action here ? surely there has to be some penalty or fine levied upon Marriott or do they just get away with it.
What about breach of GDPR......I'll certainly sign up to whatevers going but so far there seems nothing ?
Is there no legal firm starting a class action here ? surely there has to be some penalty or fine levied upon Marriott or do they just get away with it.
What about breach of GDPR......I'll certainly sign up to whatevers going but so far there seems nothing ?
I'm at a legacy Marriott in South America, where they followed the normal process and made three copies of my passport. Who knows where those copies go? Legacy Marriott didn't store the information in a reservation system but can a random employee get a copy of my passport?
And, as another practical point, when I left the last country and entered this country, the immigration authorities scanned it into their database. I wouldn't be shocked if those databases had also been hacked for another brick in the wall.
Have you considered there is a reason that the government officials dealing with the GDPR have gone silent? Consider the possibility that after their initial loud protestations, they learned what happened and have gone silent because they don't want to upset relations with the state actor.
Mar 21, 2019, 6:19 am
#520
Join Date: Dec 2007
Location: Canada
Posts: 1,511
I just received the same thing? An absolute horrible dealing with this from Marriott. The email is so generalized that it does not say anything specific? They send the email and tell you everything about you that they had on file has been compromised and pretty much see you later. I sent an email back telling them the same thing - how horrible this has been handled; I want specifics as to what has been compromised of my information etc., Curious if I will even get a response?
Yeah, maybe nothing will come of this but I'm not interested in finding out the hard way! Absolutely pathetic the communication they sent back. Pathetic.
Yeah, maybe nothing will come of this but I'm not interested in finding out the hard way! Absolutely pathetic the communication they sent back. Pathetic.
Mar 21, 2019, 9:21 pm
#521
Join Date: Jan 2005
Location: Toronto, NYC, somewhere on planet Earth
Programs: UA 1K, AA ExPlat, Hyatt Diamond, SPG Plat, Marriott Gold
Posts: 8,289
Try finding out how to get your passport replaced if information was stolen. Kroll told me to send in the OneTrust report, copy of passport and a receipt, but warned that Marriott could still deny the claim. When I asked on what grounds, the Supervisor would not answer. Calls to Marriott HQ have been replied by email to check the Kroll site for information. They hid the news for quite a while (I never got an email from them and their systems show no correspondence with me about until I called them) and after saying they would replace passports that were hacked are undermining any attempt to get answers on how to get passport reimbursed!
Apr 4, 2019, 10:05 pm
#522
Join Date: Apr 2008
Posts: 2,358
Can I get back my Platinum status utilizing Marriott's data breach?
I was Platinum until 2/28 of this year. I got demoted to Gold because I did not have enough nights in 2018 to keep Platinum for this year (2019).
I stopped using Marriott last year after I learned of Marriott's data breach.
Several days ago I received an e-mail from Marriott confirming that my personal information was part of the breach.
My driver license information, my passport number, and credit card information plus other personal information about me is now in the hands of unknown hackers because Marriott collected and stored information on me and did not keep that information secure.
I do not understand why staying at a hotel as a known customer required Marriott to obtain my driver license and passport information in their files. I stayed at foreign locations which is why my passport was required by Marriott.
Staying at a hotel should not be the basis of losing your privacy to hackers.
I have been asked to join class-action lawsuits about the Marriott hack I which declined.
In view of the fact that I was Platinum through February of this year, does anyone know if I can get my Platinum restored for the remainder of this year which will allow me to earn the status for 2120?
Considering the data breach, will Marriott restore Platinum status to those who lost it this year due to an insufficient number of stays?
Does Marriott realize the work and expense involved in getting a new driver license and passport number?
Getting a new credit card was simple and did not cost anything.
Does Marriott realize the goodwill that would be generated if they restored Platinum to those who were demoted this year due to an insufficient number of stays?
Any suggestion is appreciated.
Am I wishing for too much?
I stopped using Marriott last year after I learned of Marriott's data breach.
Several days ago I received an e-mail from Marriott confirming that my personal information was part of the breach.
My driver license information, my passport number, and credit card information plus other personal information about me is now in the hands of unknown hackers because Marriott collected and stored information on me and did not keep that information secure.
I do not understand why staying at a hotel as a known customer required Marriott to obtain my driver license and passport information in their files. I stayed at foreign locations which is why my passport was required by Marriott.
Staying at a hotel should not be the basis of losing your privacy to hackers.
I have been asked to join class-action lawsuits about the Marriott hack I which declined.
In view of the fact that I was Platinum through February of this year, does anyone know if I can get my Platinum restored for the remainder of this year which will allow me to earn the status for 2120?
Considering the data breach, will Marriott restore Platinum status to those who lost it this year due to an insufficient number of stays?
Does Marriott realize the work and expense involved in getting a new driver license and passport number?
Getting a new credit card was simple and did not cost anything.
Does Marriott realize the goodwill that would be generated if they restored Platinum to those who were demoted this year due to an insufficient number of stays?
Any suggestion is appreciated.
Am I wishing for too much?
Apr 4, 2019, 10:17 pm
#523
FlyerTalk Evangelist
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.9MM, Marriott Gold, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 13,811
I don't know how far the class action is. But if assuming the case is in settlement phase and you have excluded yourself, you can ask for this when you decide to sue Marriott and brings this up as a settlement offer.
Other than that, I don't see why Marriott needs to do so.
Apr 4, 2019, 10:24 pm
#524
Join Date: Feb 2019
Posts: 121
Yes, I think you are wishing for too much. Your information has probably been leaked in other data breaches before. Mine has multiple times. Companies don't always alert customers when breaches happen. You can freeze all credit reports for free now. That is what I do.
There were millions of people affected by the data breach at SPG. Marriott is not going to give all of those people platinum status. If Marriott did, FT would explode!
My state won't issue new Driver's License numbers unless you can prove crimes have been committed in your name using the Driver's License. My state also takes finger prints for added protection with DL renewal. I didn't get a new passport number, either.
This is the new normal, unfortunately. It's not just Marriott. We just have to adjust our behaviors to defend against it.
There were millions of people affected by the data breach at SPG. Marriott is not going to give all of those people platinum status. If Marriott did, FT would explode!
My state won't issue new Driver's License numbers unless you can prove crimes have been committed in your name using the Driver's License. My state also takes finger prints for added protection with DL renewal. I didn't get a new passport number, either.
This is the new normal, unfortunately. It's not just Marriott. We just have to adjust our behaviors to defend against it.
Apr 4, 2019, 10:41 pm
#525
Join Date: Dec 2009
Location: COS
Programs: UA Gold/1.5MM (several years running now!), Marriott LTTE, Hertz Prez
Posts: 1,899
To me this is a little bit like "hey, your restaurant gave me food poisoning last week - can I get your best table?"
(Obviously Plat is not the best table, but nevertheless...)
(Obviously Plat is not the best table, but nevertheless...)