Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Nov 30, 2018, 6:35 am
#46
Join Date: Jul 2005
Posts: 1,074
Nov 30, 2018, 6:40 am
#47
Join Date: Apr 2014
Programs: DL Gold, UA nothing (ex-GS), Marriott lifetime Plat, Hyatt Globalist
Posts: 920
Nov 30, 2018, 6:40 am
#48
Join Date: May 2013
Location: New York
Programs: UA Silver, Marriott LTPP, Hertz Five Star
Posts: 1,077
More troubling is the point that Marriott should have caught this sooner. How was this not caught as part of due diligence, or during the integration of the Starwood Reservations system to Marriott.com/with the account linking for August 18th? The timeline clearly states that Marriott only discovered the unauthorized access on the Starwood network in September 2018, which is after Marriott merged loyalty programs with Starwod.
It's probably a count of the total number of data records (reservation data) from the period when they can identify the breach having started to the time when they cut it off, a simple count statement on the # of rows in the database.
Nov 30, 2018, 6:42 am
#49
Join Date: Jul 2005
Posts: 1,074
Dear all,
Thanks for reaching out about the Starwood guest reservation database security incident. Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
All the best,
Alice K.
Social Media Specialist
Marriott International
[email protected]
Thanks for reaching out about the Starwood guest reservation database security incident. Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
All the best,
Alice K.
Social Media Specialist
Marriott International
[email protected]
Awesome so you give away "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates"
and to make up for it you offer just 1 YEAR of WebWatcher and all is forgotten? Marriott is so cheap they can't even pay for lifetime monitoring or at least 3-5 years.
Nov 30, 2018, 6:47 am
#51
Join Date: May 2013
Location: New York
Programs: UA Silver, Marriott LTPP, Hertz Five Star
Posts: 1,077
Amex, Chase, and other issuers will probably wait for signs of misuse in a pattern (e.g. seeing a fraud pattern on their cardholders who had stayed at SPG properties from 2014-2018) or for Marriott to report that there is forensic evidence on the Starwood servers that the hackers did access/use the information required to decrypt the card numbers before going to mass reissues.
Nov 30, 2018, 6:47 am
#52
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,712
Nov 30, 2018, 6:49 am
#53
FlyerTalk Evangelist
Join Date: Apr 2009
Location: India
Programs: Bonvoy Lifetime Titanium, IHG Plat, HH Gold, Trident Plat, DL Diamond, AI Maharajah
Posts: 29,649
i don't have my passport information on my spg/marriott account but i do have my credit card info....my card is due to expire in the next 3 months so it may be a good idea to just request them to send a new one now....
Nov 30, 2018, 6:50 am
#54
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Well according to the info.starwoodhotels.com domain, credit card data was on some of the reservations, but it was AES encrypted and required at least two pieces of information (keys) to decrypt. However, according to the same site, Marriott cannot definitively prove that the people who stole the records also didn't have access to these encryption keys (and therefore would be able to decrypt the credit card data to a usable/readable format).
Amex, Chase, and other issuers will probably wait for signs of misuse in a pattern (e.g. seeing a fraud pattern on their cardholders who had stayed at SPG properties from 2014-2018) or for Marriott to report that there is forensic evidence on the Starwood servers that the hackers did access/use the information required to decrypt the card numbers before going to mass reissues.
Amex, Chase, and other issuers will probably wait for signs of misuse in a pattern (e.g. seeing a fraud pattern on their cardholders who had stayed at SPG properties from 2014-2018) or for Marriott to report that there is forensic evidence on the Starwood servers that the hackers did access/use the information required to decrypt the card numbers before going to mass reissues.
This news coming out on a Friday -- instead of earlier in the work week -- does beg questions about whether or not the timing of the public release by Marriott was intentionally set by Marriott for Friday for PR management purposes.
Nov 30, 2018, 6:53 am
#55
Join Date: Mar 2005
Posts: 19
You have to be kidding me.
info.starwoodhotels.com
I have had to replace 3 Amex cards this year due to being compromised.
Well done Marriott, keep up the good job.
Now I have to wait for the email saying I was part of the millions.
info.starwoodhotels.com
I have had to replace 3 Amex cards this year due to being compromised.
Well done Marriott, keep up the good job.
Now I have to wait for the email saying I was part of the millions.
I have had to replace my Marriot Visa 6x in the last 2 years. I have been tring and trying to figure out the root cause
Nov 30, 2018, 6:59 am
#57
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Maybe the information should be more properly protected (by the company wanting all such info) or perhaps even not kept at all by the company? The less you have, the less you have to simply protect? Isn't it that simple?
Nov 30, 2018, 7:28 am
#60
Join Date: Nov 2014
Location: New York
Programs: MB-LTT , HH-Diam., HGP-Expl.
Posts: 778
Please correct me if I'm wrong, but my impression of security breaches are they are much less difficult to find when the initial exposure happens than in a forensic audit long afterwards. I had always assumed that it was like finding an error in someone else's code that happened a long time ago. Depending on the complexity and importance of the software, financial services companies will sometimes completely rewrite pricing or hedging models instead of using something developed by a predecessor. Marriott has performed poorly in a lot of ways since the merger and this is one more example of a lack of competence, but in this instance Starwood executives deserve most of the blame since it was their company's IT and management that allowed the backdoor into customer's data.
