Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Nov 30, 2018, 7:35 am
#61
Join Date: Nov 2007
Location: Philadephia, PA
Programs: AA Platinum, Marriott Titanium/Lifetime Titanium, Hyatt Globalist, UA Silver, Hilton Gold, Hertz 5*
Posts: 477
Even if passwords weren't leaked there's enough password breach databases out there for them to get a password for people who reuse the same password, and people reuse passwords a lot. (Generic infosec advice: get a password manager if you haven't already and use unique passwords everywhere)
And lol for the thought that this should have been caught in due diligence. You might audit their security processes, but it's not a "yes they're secure/no, they're not secure" question and even "good" security can be breached with enough effort, it's just a lot more difficult than against "bad" security.
And lol for the thought that this should have been caught in due diligence. You might audit their security processes, but it's not a "yes they're secure/no, they're not secure" question and even "good" security can be breached with enough effort, it's just a lot more difficult than against "bad" security.
Nov 30, 2018, 7:37 am
#62
Join Date: Apr 2005
Location: LAX
Programs: UA Silver, AA, WN, DL
Posts: 4,091
For those that say it should have been found sooner under Marriott's watch, I ask whether it's realistic, especially why it wasn't found sooner under SPG.
Given the first priority for Marriott was to merge the system, and the reality is that there is limited time and resources to do everything. Hindsight is 20/20. So to put sole burden on Marriott while not emphasizing that original breech under SPG had no responsibility or play down that responsibility makes no sense.
Given the first priority for Marriott was to merge the system, and the reality is that there is limited time and resources to do everything. Hindsight is 20/20. So to put sole burden on Marriott while not emphasizing that original breech under SPG had no responsibility or play down that responsibility makes no sense.
Nov 30, 2018, 7:39 am
#63
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Please correct me if I'm wrong, but my impression of security breaches are they are much less difficult to find when the initial exposure happens than in a forensic audit long afterwards. I had always assumed that it was like finding an error in someone else's code that happened a long time ago. Depending on the complexity and importance of the software, financial services companies will sometimes completely rewrite pricing or hedging models instead of using something developed by a predecessor. Marriott has performed poorly in a lot of ways since the merger and this is one more example of a lack of competence, but in this instance Starwood executives deserve most of the blame since it was their company's IT and management that allowed the backdoor into customer's data.
Some criminals are in the business of stealing retail customer data or of pretending to have stolen customer data and then trying to sell it back to those who were hacked.
Nov 30, 2018, 7:43 am
#65
Join Date: Jun 2008
Location: BDU
Programs: DL:MM, Marriott:LTT
Posts: 8,779
Please correct me if I'm wrong, but my impression of security breaches are they are much less difficult to find when the initial exposure happens than in a forensic audit long afterwards. I had always assumed that it was like finding an error in someone else's code that happened a long time ago. Depending on the complexity and importance...
There are some on this board who look for any negative and bend themselves into pretzels to rationalize that anything and everything was better when it was SPG. No matter what the issue, these usual suspects will come up with a reason why it is Marriott's fault and it would not have happened had SPG been left to stand alone. We are seeing this, farcically, here. Does anyone take these contortion explanations seriously at this point?
Bottom line: There was a breach. We need more information so we know if/what we need to do to protect ourselves. Do we really need the finger pointing? Does everything need to turn into an SPG-MAR circular firing squad?
Can we please allow this thread to help people learn about the breach and what needs to be done without cluttering it and making unusable because people want to use the breach as another point in their pre-existing need to brag about a program that no longer exists?
Nov 30, 2018, 7:45 am
#66
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
So Marriott found out about this on September 10, and waited until November 30 to notify customers? I wonder if they were quicker than that to notify regulators - especially given the reporting requirements under GDPR:
Will be interesting to see how regulators respond. Fines can be up to 2% of worldwide turnover, and it's interesting to note that Marriott have made an 8-K filing in relation to the breach.
Will be interesting to see how regulators respond. Fines can be up to 2% of worldwide turnover, and it's interesting to note that Marriott have made an 8-K filing in relation to the breach.
It sounds to me like people should consider that there was some negotiations going on behind the scenes.
Nov 30, 2018, 7:46 am
#68
Join Date: Aug 2018
Posts: 902
Originally Posted by rny321;
in this instance Starwood executives deserve most of the blame since it was their company's IT and management that allowed the backdoor into customer's data.
Nov 30, 2018, 7:47 am
#69
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
There are some on this board who look for any negative and bend themselves into pretzels to rationalize that anything and everything was better when it was SPG. No matter what the issue, these usual suspects will come up with a reason why it is Marriott's fault and it would not have happened had SPG been left to stand alone. We are seeing this, farcically, here. Does anyone take these contortion explanations seriously at this point?
Nov 30, 2018, 8:01 am
#73
Join Date: Jun 2008
Location: BDU
Programs: DL:MM, Marriott:LTT
Posts: 8,779
Nov 30, 2018, 8:08 am
#74
Join Date: Aug 2000
Location: ZRH / YUL
Programs: UA, TK, Starwood > Marriott, Hilton, Accor
Posts: 7,295
Interesting to read how the agency Marriott retained, Kroll, describes their services around communicating data breaches:
Heart-warming, no?
controlling your message and quelling breach population fears
Nov 30, 2018, 8:11 am
#75
Join Date: Jul 2003
Location: CT/ Germany - Ich spreche deutsch
Programs: UA 1K, Bonvoy LTTE, HH Dia, HY Expl
Posts: 4,657
I don't think anyone on FT is really surprised by this considering we have been complaining about the 4 year old that is running their IT Department for months! If they can't integrate two programs without all the issues they have had I am not sure there should be much confidence in their security protocol. They should be slapped with a big fine like Target was a couple of years ago...maybe that will teach them something!