Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Apr 4, 19, 10:42 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Nov 30, 18, 7:35 am
  #61  
 
Join Date: Nov 2007
Location: Philadephia, PA
Programs: AA Platinum, Marriott Titanium/Lifetime Titanium, UA Silver, Hilton Gold, Hertz 5*
Posts: 468
Even if passwords weren't leaked there's enough password breach databases out there for them to get a password for people who reuse the same password, and people reuse passwords a lot. (Generic infosec advice: get a password manager if you haven't already and use unique passwords everywhere)

And lol for the thought that this should have been caught in due diligence. You might audit their security processes, but it's not a "yes they're secure/no, they're not secure" question and even "good" security can be breached with enough effort, it's just a lot more difficult than against "bad" security.
fordan is offline  
Reply With Quote
Old Nov 30, 18, 7:37 am
  #62  
 
Join Date: Apr 2005
Location: LAX
Programs: UA Silver, AA, WN, DL
Posts: 3,952
For those that say it should have been found sooner under Marriott's watch, I ask whether it's realistic, especially why it wasn't found sooner under SPG.

Given the first priority for Marriott was to merge the system, and the reality is that there is limited time and resources to do everything. Hindsight is 20/20. So to put sole burden on Marriott while not emphasizing that original breech under SPG had no responsibility or play down that responsibility makes no sense.
Twickenham likes this.
luv2ctheworld is offline  
Reply With Quote
Old Nov 30, 18, 7:39 am
  #63  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,414
Originally Posted by rny321 View Post
Please correct me if I'm wrong, but my impression of security breaches are they are much less difficult to find when the initial exposure happens than in a forensic audit long afterwards. I had always assumed that it was like finding an error in someone else's code that happened a long time ago. Depending on the complexity and importance of the software, financial services companies will sometimes completely rewrite pricing or hedging models instead of using something developed by a predecessor. Marriott has performed poorly in a lot of ways since the merger and this is one more example of a lack of competence, but in this instance Starwood executives deserve most of the blame since it was their company's IT and management that allowed the backdoor into customer's data.
There is some consideration going on that someone bought or attempted to buy the stolen data -- in part or in whole -- and that acquired stolen data is what Marriott used to try to find out about what information was taken and from where. If Marriott just came clean publicly about how and when they found out about the data having been stolen, it would make matters much more clear to many more. Customers deserve the truth about what has gone on.

Some criminals are in the business of stealing retail customer data or of pretending to have stolen customer data and then trying to sell it back to those who were hacked.
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 7:42 am
  #64  
 
Join Date: Jul 2009
Posts: 491
So Marriott found out about this on September 10, and waited until November 30 to notify customers? I wonder if they were quicker than that to notify regulators - especially given the reporting requirements under GDPR:
  1. 1In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach
Will be interesting to see how regulators respond. Fines can be up to 2% of worldwide turnover, and it's interesting to note that Marriott have made an 8-K filing in relation to the breach.

Edit: as pointed out by @GUWonder below, the fine could be 2% or 4%, depending on the specific regulations broken.
Football Fan and Seabilly like this.

Last edited by markle; Nov 30, 18 at 7:55 am
markle is offline  
Reply With Quote
Old Nov 30, 18, 7:43 am
  #65  
 
Join Date: Jun 2008
Location: ATL
Programs: DL:PM, Marriott:P/LTP, Hilton:G, NatCar:EE+, Hertz:PC
Posts: 8,729
Originally Posted by rny321 View Post
Please correct me if I'm wrong, but my impression of security breaches are they are much less difficult to find when the initial exposure happens than in a forensic audit long afterwards. I had always assumed that it was like finding an error in someone else's code that happened a long time ago. Depending on the complexity and importance...
It's whack-a-mole. Companies guard against known risks and what they think might happen. The crooks look for an opening that security experts did not consider. The crooks might try thousands of entry points/methods and only need to be correct once. It happened and could have happened to either company or any other company/organization/government entity out there. Blaming either IT team is fruitless, especially since none of the people assigning blame know what actually happened to allow the breach.

There are some on this board who look for any negative and bend themselves into pretzels to rationalize that anything and everything was better when it was SPG. No matter what the issue, these usual suspects will come up with a reason why it is Marriott's fault and it would not have happened had SPG been left to stand alone. We are seeing this, farcically, here. Does anyone take these contortion explanations seriously at this point?

Bottom line: There was a breach. We need more information so we know if/what we need to do to protect ourselves. Do we really need the finger pointing? Does everything need to turn into an SPG-MAR circular firing squad?

Can we please allow this thread to help people learn about the breach and what needs to be done without cluttering it and making unusable because people want to use the breach as another point in their pre-existing need to brag about a program that no longer exists?
kennycrudup and Twickenham like this.
CJKatl is offline  
Reply With Quote
Old Nov 30, 18, 7:45 am
  #66  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,414
Originally Posted by markle View Post
So Marriott found out about this on September 10, and waited until November 30 to notify customers? I wonder if they were quicker than that to notify regulators - especially given the reporting requirements under GDPR:


Will be interesting to see how regulators respond. Fines can be up to 2% of worldwide turnover, and it's interesting to note that Marriott have made an 8-K filing in relation to the breach.
2% or 4% of global revenue?

It sounds to me like people should consider that there was some negotiations going on behind the scenes.
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 7:45 am
  #67  
 
Join Date: Jan 2005
Location: SMF
Programs: SPG LTP
Posts: 1,376
Maybe I should e-mail the hackers to get my missing SNAs back before the end of the year since Marriott can't be bothered to reply.
Sam P. Goodman is offline  
Reply With Quote
Old Nov 30, 18, 7:46 am
  #68  
 
Join Date: Aug 2018
Posts: 424
Originally Posted by rny321;
in this instance Starwood executives deserve most of the blame since it was their company's IT and management that allowed the backdoor into customer's data.
definitely the case. According to the press reports at the time, the merger agreement provided for generous golden parachutes to a few starwood executives. I sure hope that there was also a claw-back provision on those parachute deals.
MePlatPremier is online now  
Reply With Quote
Old Nov 30, 18, 7:47 am
  #69  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,414
Originally Posted by CJKatl View Post
There are some on this board who look for any negative and bend themselves into pretzels to rationalize that anything and everything was better when it was SPG. No matter what the issue, these usual suspects will come up with a reason why it is Marriott's fault and it would not have happened had SPG been left to stand alone. We are seeing this, farcically, here. Does anyone take these contortion explanations seriously at this point?
Where in this thread are you seeing all of that? Or is this another example of imagining dragons to slay?
UA-NYC likes this.
GUWonder is online now  
Reply With Quote
Old Nov 30, 18, 7:49 am
  #70  
 
Join Date: Aug 2018
Posts: 424
Originally Posted by Sam P. Goodman View Post
Maybe I should e-mail the hackers to get my missing SNAs back before the end of the year since Marriott can't be bothered to reply.
“Russia, if you’re listening...”
MePlatPremier is online now  
Reply With Quote
Old Nov 30, 18, 7:54 am
  #71  
 
Join Date: Jul 2009
Posts: 491
Originally Posted by GUWonder View Post
2% or 4% of global revenue?

It sounds to me like people should consider that there was some negotiations going on behind the scenes.
Whether it's 2% or 4% depends on whether or not it's considered either:

2%: Breach of controller or processor obligations
4%: Breach of data subjects’ rights and freedoms

In any case, "behind the scenes negotiations" is irrelevant - they have an obligation to notify. I'm not entirely clear what negotiation you'd even negotiate over... "We have a data breach, but we'll only follow our legal obligation to notify if you agree to give us a lower fine?"
markle is offline  
Reply With Quote
Old Nov 30, 18, 7:55 am
  #72  
 
Join Date: Dec 2017
Posts: 268
Wry laugh. Well, now we know the root cause of some of the chaos in the last few months--Marriott was knowingly operating a compromised stay database at its SPG properties and rushed the transition to "deal" with it.
EuropeanPete likes this.
OssianBlue is offline  
Reply With Quote
Old Nov 30, 18, 8:01 am
  #73  
 
Join Date: Jun 2008
Location: ATL
Programs: DL:PM, Marriott:P/LTP, Hilton:G, NatCar:EE+, Hertz:PC
Posts: 8,729
Originally Posted by GUWonder View Post
Where in this thread are you seeing all of that?
Posts 3, 4, 5, 9, 16, 17, 20, 23, 25, 32, 37, 44, 48, 60, 62 and 72. Almost one in four posts involve useless finger pointing. Many of those involve Marriott bashing or SPG cheerleading.
kennycrudup likes this.
CJKatl is offline  
Reply With Quote
Old Nov 30, 18, 8:08 am
  #74  
 
Join Date: Aug 2000
Location: ZRH / YUL
Programs: UA, TK , Starwood > Marriott
Posts: 6,317
Interesting to read how the agency Marriott retained, Kroll, describes their services around communicating data breaches:
controlling your message and quelling breach population fears
Heart-warming, no?
airoli is offline  
Reply With Quote
Old Nov 30, 18, 8:11 am
  #75  
 
Join Date: Jul 2003
Location: CT/ Germany - Ich spreche deutsch
Programs: UA Plat, AA Gold, LH Silver, Bonvoy LTTE, HH Dia, Hyatt Disc, PC Plat, CC Gold
Posts: 3,753
I don't think anyone on FT is really surprised by this considering we have been complaining about the 4 year old that is running their IT Department for months! If they can't integrate two programs without all the issues they have had I am not sure there should be much confidence in their security protocol. They should be slapped with a big fine like Target was a couple of years ago...maybe that will teach them something!
christianj is offline  
Reply With Quote

Thread Tools
Search this Thread