Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Marriott | Marriott Bonvoy
Reload this Page >

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

Marriott Data Breach [from Starwood database] : 500 Million Guests affected

    Hide Wikipost
Old Mar 13, 19, 12:09 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: MasterGeek
Wiki Link
From Starwood Lurker team :
Please visit  info.starwoodhotels.com  for more information about this incident, available resources and steps you can take.

Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.

http://uk.businessinsider.com/marrio...8-11?r=US&IR=T
https://www.prnewswire.com/news-rele...300758155.html

You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Print Wikipost

Reply

Old Nov 30, 18, 9:54 am
  #106  
FlyerTalk Evangelist
 
Join Date: Sep 2007
Location: BOS
Programs: DL DM 1MM, Marriott LTPlat, Hertz PC
Posts: 11,865
Originally Posted by Bravada04 View Post
So now KROLL wants me to send all my information via email?! Credit Card info...etc., Just a continued circle.
Yeah sorry I'm not submitting every bit of my personal info like CC and passport info to KROLL.
rylan is online now  
Reply With Quote
Old Nov 30, 18, 9:55 am
  #107  
 
Join Date: Aug 2002
Location: YYZ
Programs: BA Gold/SPG Gold/HH Diamond/IC Plat Amba
Posts: 5,408
Originally Posted by maracle View Post
It's fascinating to see SPG enthusiasts somehow blaming Marriott for the mess Starwood created. It seems like the merger is likely to have exposed a years long failure by Starwood to secure customer data.
In 2014 I had my Starwood account hacked and most of the points transferred to Etihad. I phoned them and the points were put back into a new account although no explanation was given so Starwood had to know they were breached even back then
amanuensis likes this.
Crampedin13A is offline  
Reply With Quote
Old Nov 30, 18, 9:56 am
  #108  
 
Join Date: Nov 2014
Location: Nomad
Programs: A3*G, TK*G, UIA PremEY Silv, CX Silv, Hyatt Diam, , Skyteam Elite+,HH Diam, SPG Plat100, EK Silv
Posts: 1,291
Originally Posted by maracle View Post
It's fascinating to see SPG enthusiasts somehow blaming Marriott for the mess Starwood created. It seems like the merger is likely to have exposed a years long failure by Starwood to secure customer data.
yes and Marriott IT, Accenture and those pedantic people didn't see anything and are living with it for the last 2 years.
What do you think? Amateurs ... irresponsible... and I hope they will be the first big UE fine for GDPR matters! Well deserved!
tfong007 likes this.
frenchft is offline  
Reply With Quote
Old Nov 30, 18, 9:56 am
  #109  
 
Join Date: Dec 2017
Posts: 266
Originally Posted by bozacksmith View Post
I had just heard that they think their decrypt keys (for credit cards etc) may have been leaked and compromised which is a total ... how on earth does that even happen as those are part of the golden keys to any orgs kingdom.
Notepad file on the top level share folder for easy access? Just a guess.
OssianBlue is offline  
Reply With Quote
Old Nov 30, 18, 10:00 am
  #110  
2019 FlyerTalk Awards
 
Join Date: Jun 2016
Location: Prince Edward Island
Programs: Aeroplan Black, Hilton Honors Gold, Marriott Gold, Mlife Pearl
Posts: 1,273
Originally Posted by rylan View Post
Yeah sorry I'm not submitting every bit of my personal info like CC and passport info to KROLL.
My thought exactly. Plus I'm sure they will harass everyone to renew once their free year is up.
Low Roller is offline  
Reply With Quote
Old Nov 30, 18, 10:04 am
  #111  
 
Join Date: Nov 2014
Location: Nomad
Programs: A3*G, TK*G, UIA PremEY Silv, CX Silv, Hyatt Diam, , Skyteam Elite+,HH Diam, SPG Plat100, EK Silv
Posts: 1,291
Accenture is removing, or trying to remove some informations... not accessible... but they were already the Starwood IT outsourcing / advisor...
Congrats to them for such a work!

https://newsroom.accenture.com/indus...on-program.htm
frenchft is offline  
Reply With Quote
Old Nov 30, 18, 10:04 am
  #112  
FlyerTalk Evangelist
 
Join Date: Sep 2014
Programs: AC SE100K, 1MM, NH, DL, GE/Nexus, APEC..
Posts: 15,158
Originally Posted by phltraveler View Post
As I made post #48 , I don't think that it's useless finger pointing to point out that the breach started under Starwood but Starwood's liabilities are Marriott's, and express disbelief that a system that Marriott had been working on integrating with their own website/rewards IT for over two years remained compromised throughout the entire integration period, including after the Single loyalty program/website integration on 08/18, and that the security breach was only found after they had integrated the starwood reservation system/servers with Marriott.com and Marriott Rewards. Given that it's another failure on the part of the combined Marriott/Starwood from an IT perspective, groaning is going to come with the territory.....
Absolutely agree.
.

And, whether one is a SPG loyalist or Marriott fan,
IMHO:
1. This merger only benefited shareholders and execs, not guests or employees
2. Arne should be tossed, along with anyone else who shared his myths and approach
3. Breach or not, Marriott IT and Customer Service was horrid before the merger and is worse now
4. For those of us who lost nights, stays, points etc with the combining of accounts, the breach is almost a "who cares" moment
5. There are severely incompetent people working at Marriott IT who, among other things, enjoy send emails suggesting using the Marriott portal to book a Westin or W or Sheraton, not the SPG site, yet when selecting a SPG property, the Marriott portal bumps you to the SPG site; who suggest that if you can't book a property, clear cookies, or my personal favourite "unplug your computer"

The list goes on as many of you and so many others can attest to.

So, for some, this 500 million whatever data breach is a freak-out. For others, it's a reminder that big "egos" made the decision to merge the companies and regardless of whether the hack was on SPG and prior to the integration/combining/whatever, IN NO WAY does it absolve Arne and his gang of the responsibility of not taking the time to get it right.

It is a fiasco and you can all choose to disagree.
tfong007, phltraveler and frenchft like this.
24left is online now  
Reply With Quote
Old Nov 30, 18, 10:04 am
  #113  
 
Join Date: Nov 2014
Location: Nomad
Programs: A3*G, TK*G, UIA PremEY Silv, CX Silv, Hyatt Diam, , Skyteam Elite+,HH Diam, SPG Plat100, EK Silv
Posts: 1,291
Originally Posted by Low Roller View Post
My thought exactly. Plus I'm sure they will harass everyone to renew once their free year is up.
was the case when Hyatt provided such service too... useless and pushy people
frenchft is offline  
Reply With Quote
Old Nov 30, 18, 10:06 am
  #114  
 
Join Date: Feb 2013
Location: Miami, FL
Programs: UA 1MM, Marriott LT PPE, Hilton ♢, Hyatt Disc, IHG Plat, Radisson Gold, Hertz PC
Posts: 4,342
Originally Posted by rylan View Post
Yeah sorry I'm not submitting every bit of my personal info like CC and passport info to KROLL.
Actually it is a pretty decent service. At least monitor your email and phone. You don't have to enter your cc, ss# or passport.

I enrolled and saw breaches across numerous websites. I went back to those websites and deleted my accounts.
TravelinSperry is offline  
Reply With Quote
Old Nov 30, 18, 10:06 am
  #115  
 
Join Date: Nov 2014
Location: Nomad
Programs: A3*G, TK*G, UIA PremEY Silv, CX Silv, Hyatt Diam, , Skyteam Elite+,HH Diam, SPG Plat100, EK Silv
Posts: 1,291
Originally Posted by bozacksmith View Post
Geez, from someone in the cybersecurity field and has done breach investigations this is a bit ridiculous. Yes it was under the SPG IT umbrella so it is harder to point blame but it also depends on what the merger dictated within the IT groups, this isn't abnormal to have bad guy lurking for years in a network. I had just heard that they think their decrypt keys (for credit cards etc) may have been leaked and compromised which is a total ... how on earth does that even happen as those are part of the golden keys to any orgs kingdom. I dealt with the last SPG POS breach and moved on but I am just done with the whole Marriot merger and after this year will have shifted everything away.

For anyone that is worried if this exposes your info, I almost guarantee your info is already out there somewhere anyways by now. This I am sure will climb above the 500 million....

Here is also a better article as Krebs specializes in cyber investigative reporting:
https://krebsonsecurity.com/2018/11/...4-year-breach/
Accenture on both side : Starwood and Marriott. Very deep IT outsourcing. Both are consider as Key WW clients at Accenture.
frenchft is offline  
Reply With Quote
Old Nov 30, 18, 10:07 am
  #116  
 
Join Date: Jan 2012
Location: Iowa City, IA
Posts: 336
I think marriott is trying to spread the blame around for this. Their statements are contradicting:

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.
On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
Common sense would dictate if there was proof that info was copied using unauthorized access to the Starwood database, that the contents would be from the Starwood database. You don't need to decrypt it to figure that part out. I think more than likely this breach didn't occur until Marriott purchased Starwoow, and what they really mean is that the data spans 4 years. I am an IT system administrator and I find it highly unlikely that this breach has been ongoing for 4 years straight! Not just unlikely, virtually impossible. These things are generally found out pretty quickly, though almost always after the damage is done. This would be quite the coincidence that with their major integration problems that this is a separate, unrelated incident
nsummy is offline  
Reply With Quote
Old Nov 30, 18, 10:10 am
  #117  
 
Join Date: Feb 2000
Location: Pittsburgh
Programs: Whoever Has the Best Bonus
Posts: 4,885
I had my SPG Amex used in Brazil (Amex caught it immediately and didn't let it go through) and I had no idea why. Now it seems this could be why as I only used it for my Starwood reservations in the time frame shown.
pitflyer is offline  
Reply With Quote
Old Nov 30, 18, 10:12 am
  #118  
 
Join Date: Nov 2014
Location: Nomad
Programs: A3*G, TK*G, UIA PremEY Silv, CX Silv, Hyatt Diam, , Skyteam Elite+,HH Diam, SPG Plat100, EK Silv
Posts: 1,291
Originally Posted by nsummy View Post
I think marriott is trying to spread the blame around for this. Their statements are contradicting:





Common sense would dictate if there was proof that info was copied using unauthorized access to the Starwood database, that the contents would be from the Starwood database. You don't need to decrypt it to figure that part out. I think more than likely this breach didn't occur until Marriott purchased Starwoow, and what they really mean is that the data spans 4 years. I am an IT system administrator and I find it highly unlikely that this breach has been ongoing for 4 years straight! Not just unlikely, virtually impossible. These things are generally found out pretty quickly, though almost always after the damage is done. This would be quite the coincidence that with their major integration problems that this is a separate, unrelated incident
The way they managed it is as far as I know not very good for their relationship with UE...

"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."
frenchft is offline  
Reply With Quote
Old Nov 30, 18, 10:23 am
  #119  
 
Join Date: Nov 2014
Location: New York
Programs: MB-LTT , HH-Diam., HGP-Expl., Accor-Plat., Former FPC-Plat.
Posts: 568
Originally Posted by CJKatl View Post
My passport had to be presented and was copied in many locations, including Thailand and China, although I do not remember if it needed to be included in the reservation. However, I made a reservation for my sister over the summer at the Prague Sheraton. She had dropped off the phone and I did not have their passport numbers. The agent knew we were going to call back to add those. A few hours later the hotel manager sent an email stating the numbers needed to be in the reservation and needed to match what was presented at check-in, so I know for sure that at least for the Prague Sheraton the information needed to be included in the reservation.
I don't believe I have ever given a hotel my passport info before arrival. Regardless, I believe that it is likely that personal information in it probably has been obtained fraudulently at some point. Unlike some other items, like credit cards, emails and passwords, which can be easily changed, replacing a passport every time a travel provider that had access to it is hacked isn't practical. While it is at a minimum annoying that passport data may have been breached, other than limiting who has access to it in the future as much as possible, I don't believe that there is much we can individually do about it.
rny321 is offline  
Reply With Quote
Old Nov 30, 18, 10:26 am
  #120  
 
Join Date: May 2013
Location: New York
Programs: UA Silver, Marriott LTP, Hertz President's Club
Posts: 907
Originally Posted by nsummy View Post
I think marriott is trying to spread the blame around for this. Their statements are contradicting:

Common sense would dictate if there was proof that info was copied using unauthorized access to the Starwood database, that the contents would be from the Starwood database. You don't need to decrypt it to figure that part out.
The statement is too vague. They discovered an attempt to access the database on September 8th. Attempt does not necessarily imply success. Other successful attempts may have gone undetected until later, and succesful attempts could have gone on for years earlier.

Originally Posted by nsummy View Post
II think more than likely this breach didn't occur until Marriott purchased Starwood, and what they really mean is that the data spans 4 years.
It took three years for Yahoo to discover their breach. If the hackers were siphoning off personal info without selling the profiles on the dark web or misusing stolen credit card info, it could go undetected for a long time. Also, Starwood Reservation computers would regularly communicate with computers outside the extranet - directly with guests and travel agencies to make/change reservations, and directly to the hotels (largely franchised) to sync/change reservation information, so it's not exactly a typical intranet security scenario.

Details are lacking though. There needs to be a serious post-mortem done on this and the failure to discover it earlier.
phltraveler is online now  
Reply With Quote

Thread Tools
Search this Thread