Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Apr 4, 19, 10:42 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Nov 30, 18, 8:13 am
  #76  
 
Join Date: Apr 2005
Location: NYC
Programs: SPG Platinum/Hyatt Diamond
Posts: 124
SPG is now and truly dead. Marriott is awful. Just cancelled my SPG AMEX card. Sad ending to a great
Starwood program.
choco is offline  
Reply With Quote
Old Nov 30, 18, 8:23 am
  #77  
 
Join Date: Aug 2001
Location: Toronto, Canada
Programs: Liftime Titanium Elite Marriott
Posts: 1,746
How does the CTO still have a job. This is a case study of how not to handle a merger. What a total cockup. Seems like every day things get worse. Not better
tfong007 is offline  
Reply With Quote
Old Nov 30, 18, 8:26 am
  #78  
 
Join Date: May 2003
Location: LHR
Programs: SQ Krisflyer, QR Privilege Club, MB Titanium
Posts: 716
Wow what a fiasco of a merger... It is really not that interesting if we attribute this to SPG Mickey Mouse security protocols or a subpar due diligence by Marriott the end result is a fiasco merger at best or catastrophic merger at worst. Mr Sorenson should thank his lucky star if he survives this.
X-ON is offline  
Reply With Quote
Old Nov 30, 18, 8:26 am
  #79  
 
Join Date: Dec 2017
Posts: 268
"Boss, we discovered hackers have access to the Starwood stay database. I just need your word to lock it down while we close it."

"Hold on there a second, we might lost some bookings. Tell you what, let's move the January integration target up to September since the Marriott stay database is clean. That will fix the security hole just fine."
EuropeanPete and MSPeconomist like this.
OssianBlue is offline  
Reply With Quote
Old Nov 30, 18, 8:27 am
  #80  
 
Join Date: Jan 2005
Posts: 503
Originally Posted by choco View Post
SPG is now and truly dead. Marriott is awful. Just cancelled my SPG AMEX card. Sad ending to a great
Starwood program.
Have you even read the cause of this breach? This was an SPG issue!!
oxfordjames is offline  
Reply With Quote
Old Nov 30, 18, 8:27 am
  #81  
 
Join Date: May 2013
Location: New York
Programs: UA Silver, Marriott LTP, Hertz President's Club
Posts: 916
Originally Posted by CJKatl View Post
Posts 3, 4, 5, 9, 16, 17, 20, 23, 25, 32, 37, 44, 48, 60, 62 and 72. Almost one in four posts involve useless finger pointing. Many of those involve Marriott bashing or SPG cheerleading.
As I made post #48 , I don't think that it's useless finger pointing to point out that the breach started under Starwood but Starwood's liabilities are Marriott's, and express disbelief that a system that Marriott had been working on integrating with their own website/rewards IT for over two years remained compromised throughout the entire integration period, including after the Single loyalty program/website integration on 08/18, and that the security breach was only found after they had integrated the starwood reservation system/servers with Marriott.com and Marriott Rewards. Given that it's another failure on the part of the combined Marriott/Starwood from an IT perspective, groaning is going to come with the territory.

As far as what can be done, the faq on info.starwoodhotels.com is pretty comprehensive if actually read. The likelihood that someone would be able to acquire a credit line without a social security number might make a credit freeze excessive as a response to this specific breach (although a good measure anyways given other data breaches and just general safety of ones credit).

If you feel the information is not complete or is hard to find, might I suggest editing the wikipost on this thread instead? That way it's a centrally updated source visible regardless of the page one visits in this thread that can be updated by the community. Other than what Marriott has already provided via Kroll, I can't think of any other precautions at this time or info to provide.

Originally Posted by OssianBlue View Post
Wry laugh. Well, now we know the root cause of some of the chaos in the last few months--Marriott was knowingly operating a compromised stay database at its SPG properties and rushed the transition to "deal" with it.
Marriott instead claims via the info.starwoodhotels.com site that they were alerted to a potential data breach by a security tool on September 8th, closed the access of the unauthorized party on the 10th, and verified what the breach contained only on November 19th. If true, MR didn't knowingly rush any transition to deal with the breach.

Besides, the rewards programs were merged on 08/18 and Marriott.com was the central booking site, but booking any SPG hotel just took you over to the starwoodhotels.com subdomain - because the Starwood hotels were still using the legacy PMS at that time (over the past few weeks and coming months some properties have transitioned the properties to OPERA/Marriott reservations backend - PMS transition only happened at the end of October for Sheratons, for instance). That's why guest data post 08/18 (up until September 10th) is affected by this breach, but only at Starwood properties that still used the Starwoodhotels.com domain & Starwood reservations system.

Originally Posted by fransknorge View Post
For the time being, all coverage I am reading is clearly saying 500 milllions guests or peoples. None are saying 500 millions booking. Marriott should clarify.
With the minimum information transmitted for a hotel booking being a name and reservations not being required to contain a single reservations number (and a possibility for one individual to have more than one rewards account [accidentally or on purpose, or as a result of technical changes - like the pre-08/18 SPG numbers and then the post 08/18 merged Marriott rewards account numbers being within the dataset), Marriott likely cannot tell if reservation #78 under John Smith is the same John Smith as Reservation #361 or different.

With Marriott only decrypting the data dump on their servers on November 19th, that doesn't leave a lot of time for an exhaustive analysis to de-duplicate reservation records down to individuals (and the above factors making absolute de-duplication impossible anyways).

Marriott themselves on info.starwoodhotels.com uses the terms:

Originally Posted by "Marriott
Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
However, the nature of the above means it's likely that Marriott gave the worst case scenario by assuming every single reservation could be a different person. Marriott would catch infinitely less guff from the public/news outlets/governments for initially overstating the impact and correcting it to a smaller number than giving a smaller number and increasing it later.

Last edited by phltraveler; Nov 30, 18 at 8:39 am
phltraveler is offline  
Reply With Quote
Old Nov 30, 18, 8:32 am
  #82  
Hilton Contributor BadgeAccor 10+ Badge
 
Join Date: Nov 2012
Location: Rhineland-Palatinate
Programs: OW Sapphire (BA), *A Gold (A3), Le Club Accor Silver, HHonor Gold
Posts: 2,102
For the time being, all coverage I am reading is clearly saying 500 milllions guests or peoples. None are saying 500 millions booking. Marriott should clarify.
fransknorge is offline  
Reply With Quote
Old Nov 30, 18, 8:33 am
  #83  
 
Join Date: Aug 2001
Location: Toronto, Canada
Programs: Liftime Titanium Elite Marriott
Posts: 1,746
When do the class actions start? So much for protecting customer data.
tfong007 is offline  
Reply With Quote
Old Nov 30, 18, 8:34 am
  #84  
 
Join Date: Jun 2008
Location: ATL
Programs: DL:PM, Marriott:P/LTP, Hilton:G, NatCar:EE+, Hertz:PC
Posts: 8,728
Originally Posted by phltraveler View Post
As I made post #48 , I don't think that it's useless finger pointing to point out that the breach started under Starwood but Starwood's liabilities are Marriott's, and express disbelief that a system that Marriott had been working on integrating with their own website/rewards IT for over two years remained compromised throughout the entire integration period, including after the Single loyalty program/website integration on 08/18, and that the security breach was only found after they had integrated the starwood reservation system/servers with Marriott.com and Marriott Rewards. Given that it's another failure on the part of the combined Marriott/Starwood from an IT perspective, groaning is going to come with the territory.
.
Granted, your post contained little finger pointing and additional information, but so many others are like this:

Originally Posted by tfong007 View Post
How does the CTO still have a job. This is a case study of how not to handle a merger. What a total cockup. Seems like every day things get worse. Not better
and this:

Originally Posted by X-ON View Post
Wow what a fiasco of a merger... It is really not that interesting if we attribute this to SPG Mickey Mouse security protocols or a subpar due diligence by Marriott the end result is a fiasco merger at best or catastrophic merger at worst. Mr Sorenson should thank his lucky star if he survives this.
and this:

Originally Posted by oxfordjames View Post
Have you even read the cause of this breach? This was an SPG issue!!

Last edited by CJKatl; Nov 30, 18 at 8:58 am
CJKatl is offline  
Reply With Quote
Old Nov 30, 18, 8:37 am
  #85  
 
Join Date: Dec 2009
Location: Nashville, TN
Programs: Marriott Lifetime Titanium.;UA 1.5MM; UA Lifetime Gold (whoppee); AA EXP
Posts: 2,014
Look on the sunny side: This will mean some dirt cheap rates in the future to win back loyalty and just to gain trust back!
boss315 is offline  
Reply With Quote
Old Nov 30, 18, 8:37 am
  #86  
 
Join Date: Dec 2017
Posts: 268
Originally Posted by CJKatl View Post
Granted, your post contained little finger pointing and additional information, but so many others are like this:

:

And? What's inappropriate about venting after a colossal mess-up like this?
OssianBlue is offline  
Reply With Quote
Old Nov 30, 18, 8:41 am
  #87  
 
Join Date: Nov 2014
Location: New York
Programs: MB-LTT , HH-Diam., HGP-Expl., Accor-Plat., Former FPC-Plat.
Posts: 585
Originally Posted by CJKatl View Post
Bottom line: There was a breach. We need more information so we know if/what we need to do to protect ourselves. Do we really need the finger pointing? Does everything need to turn into an SPG-MAR circular firing squad?

Can we please allow this thread to help people learn about the breach and what needs to be done without cluttering it and making unusable because people want to use the breach as another point in their pre-existing need to brag about a program that no longer exists?
I have my own domain and I utilize numerous email addresses and unique formula-based passwords. When traveling, I can forward all relevant email addresses to a primary one. If (when?) an email is compromised, I can create a new one in about a minute and forward emails from the old one go into a SPAM folder. I realize when using gmail or a similar provider the process of creating and tracking multiple email addresses is more time consuming, but having a few different email addresses for online purchases may make sense for some people.

The credit cards I use and store on a company's website are rarely one of the ones I use for everyday spending. Since my Starwood Luxury card is rarely used anywhere except MPG hotels, it isn't that much of an issue if I need to cancel it.

At this point, enough providers I use have been hacked that I assume that my address, phone number and birthday have been widely disseminated. Although my passport info isn't on any hotel websites, I have stored it on some airline sites.
rny321 is offline  
Reply With Quote
Old Nov 30, 18, 8:43 am
  #88  
 
Join Date: May 2013
Location: New York
Programs: UA Silver, Marriott LTP, Hertz President's Club
Posts: 916
Originally Posted by rny321 View Post
At this point, enough providers I use have been hacked that I assume that my address, phone number and birthday have been widely disseminated. Although my passport info isn't on any hotel websites, I have stored it on some airline sites.
What happens if you use a corporate TA or other 3rd party TA to make a booking with international travel that includes a Starwood hotel along with airfare and rental car? Since it's all on the same booking in the GDS, would the passport be potentially transmitted as part of the booking info sent to Marriott?
phltraveler is offline  
Reply With Quote
Old Nov 30, 18, 8:48 am
  #89  
 
Join Date: Nov 1999
Programs: UA, DL, AA, Sutherlands Lumber
Posts: 6,633
Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.
Is this a red herring? It's a problem we acquired, we didn't create it.
pierre mclopez is offline  
Reply With Quote
Old Nov 30, 18, 8:49 am
  #90  
 
Join Date: Nov 2014
Location: New York
Programs: MB-LTT , HH-Diam., HGP-Expl., Accor-Plat., Former FPC-Plat.
Posts: 585
Originally Posted by phltraveler View Post
What happens if you use a corporate TA or other 3rd party TA to make a booking with international travel that includes a Starwood hotel along with airfare and rental car? Since it's all on the same booking in the GDS, would the passport be potentially transmitted as part of the booking info sent to Marriott?
Good question. I can't answer the question for others, but in my company passport information would only be transmitted to the airline. Since airline databases have been hacked, I am not naive enough to think my passport info has never been compromised. Still, the precautions I have taken minimize the inconvenience when the inevitable security breach happens.
rny321 is offline  
Reply With Quote

Thread Tools
Search this Thread