Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
#166
Join Date: Feb 2017
Programs: DL DM, UA Gold, Alaska MVP, Bonvoy (lol) Ambassador
Posts: 2,994
Lot's of paranoia in this thread.
Data Breaches aren't exactly uncommon. And just because you can see the read the data, doesn't mean you can actually do anything with it if it is encrypted or incomplete.
If the door has been open at least 4 years - I'd certainly think someone by now would have been impacted - and I haven't read anything that any particular person has had an issue.
Data Breaches aren't exactly uncommon. And just because you can see the read the data, doesn't mean you can actually do anything with it if it is encrypted or incomplete.
If the door has been open at least 4 years - I'd certainly think someone by now would have been impacted - and I haven't read anything that any particular person has had an issue.
While unlikely, it could also be a state actor or industrial espionage. Knowing where people are planning to go is useful information for both states or for unscrupulous enterprises. Think M&A, unusual financial auditing activity, where certain government officials plan to go before announcements, and so on.
#168
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,413
I find it amusing that on both CNN and NBC, when the media talk about this, they show pictures of legacy Marriott hotels, starting with a big Courtyard sign.
BTW, are they answering the hacked line any faster than they've been answering Plat, PP, etc. over the last months?
BTW, are they answering the hacked line any faster than they've been answering Plat, PP, etc. over the last months?
#170
Join Date: Dec 2006
Location: SNA
Programs: Bonvoy LTTE/AMB, AmEx Plat, National EE, WN A-List, CLEAR+, Covid-19
Posts: 4,967
#172
Join Date: May 2014
Location: Great Britain
Programs: Air: QR Silver. BA Silver Emirates, Hotels: CC Gold, IHG Spire AMB, Hilton Diamond.
Posts: 1,487
Great so crooks now have my home address along with a list of dates they know I won't be home.
If I am burgled can I take some sort of related legal action against Marriott ?
It seems like the only way to keep our data safe is for companies to not store any of it on servers which have access to the internet !
If I am burgled can I take some sort of related legal action against Marriott ?
It seems like the only way to keep our data safe is for companies to not store any of it on servers which have access to the internet !
#173
Join Date: May 2014
Location: Great Britain
Programs: Air: QR Silver. BA Silver Emirates, Hotels: CC Gold, IHG Spire AMB, Hilton Diamond.
Posts: 1,487
How many shares in the company do I need to own in order to have a vote at the AGM to vote against any rise in the salaries / bonuses of the board of directors ??
I wonder if it'd be possible to get all / most of the members together, buy one share each and enter a vote of no confidence or the like in the entire board ???????? Just really to p*ss them off and deny them their cushy gravy train salaries & bonuses !!
Not sure there are 500 million shares are there ? It'd certainly cause a rather significant spike to the share price - at which point the directors would probably sell off their holdings making a killing so basically even if it was even remotely possible it would make them all rich and defeat the object anyway.
Hey ho. Random drunken ramblings ! Polishing off all my fancy wines & spirits this evening given I'm bound to be burgled soon now that crooks have my address AND a nice little list of all the dates they know I'll be away from my home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!
I wonder if it'd be possible to get all / most of the members together, buy one share each and enter a vote of no confidence or the like in the entire board ???????? Just really to p*ss them off and deny them their cushy gravy train salaries & bonuses !!
Not sure there are 500 million shares are there ? It'd certainly cause a rather significant spike to the share price - at which point the directors would probably sell off their holdings making a killing so basically even if it was even remotely possible it would make them all rich and defeat the object anyway.
Hey ho. Random drunken ramblings ! Polishing off all my fancy wines & spirits this evening given I'm bound to be burgled soon now that crooks have my address AND a nice little list of all the dates they know I'll be away from my home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!
Last edited by Sisyphus1carus; Nov 30, 2018 at 3:39 pm
#174
Join Date: Aug 2014
Location: YYZ
Programs: Ex-Bonvoyed, Hyatt, Hilton, BR, AC, AA
Posts: 1,298
#175
Join Date: Apr 2005
Programs: Starwood:Lifetime Platinum, Air Canada:Basic, Asiana:Lifetime Diamond Plus, ANA: Basic
Posts: 980
Hopefully with the help of the FBI, they can find out if it was foreign governments or sophisticated crooks did it.
Both SPG and Marriott had at least average level of IT staff and commercially available enterprise level security software . So the hack was able to be undetected since 2014 means it's should be a sophisticated hack that went around all the security.
I am prepared to show of understanding if Marriott/SPG was hacked by foreign governments. There is little defense on this type of hacking. Recall the Bloomberg news a month ago of Chinese government putting a small chip on server motherboards to hack Apple and other Silicon Valley giants to steal technology secrets. All elite government hacking teams have access to Operating System holes that maybe the original manufacturer (be it Microsoft or Google or Apple) don't know yet. National law enforcement agencies (including the FBI) also buys services from data security companies that sole purpose is to find vulnerability on devices/computers to help law enforcement "get in" when the accused is uncooperative with a court order. The point is... Every system has holes and those with deep pockets and deep talent (normally governments) can get through like a cyber version of Mission Impossible. It would be unrealistic for commercial entities to guard their system to the near impenetrable level like Pentagon/CIA guard their systems.
Both SPG and Marriott had at least average level of IT staff and commercially available enterprise level security software . So the hack was able to be undetected since 2014 means it's should be a sophisticated hack that went around all the security.
I am prepared to show of understanding if Marriott/SPG was hacked by foreign governments. There is little defense on this type of hacking. Recall the Bloomberg news a month ago of Chinese government putting a small chip on server motherboards to hack Apple and other Silicon Valley giants to steal technology secrets. All elite government hacking teams have access to Operating System holes that maybe the original manufacturer (be it Microsoft or Google or Apple) don't know yet. National law enforcement agencies (including the FBI) also buys services from data security companies that sole purpose is to find vulnerability on devices/computers to help law enforcement "get in" when the accused is uncooperative with a court order. The point is... Every system has holes and those with deep pockets and deep talent (normally governments) can get through like a cyber version of Mission Impossible. It would be unrealistic for commercial entities to guard their system to the near impenetrable level like Pentagon/CIA guard their systems.
#176
Join Date: May 2014
Location: Great Britain
Programs: Air: QR Silver. BA Silver Emirates, Hotels: CC Gold, IHG Spire AMB, Hilton Diamond.
Posts: 1,487
Whether it's 2% or 4% depends on whether or not it's considered either:
2%: Breach of controller or processor obligations
4%: Breach of data subjects’ rights and freedoms
In any case, "behind the scenes negotiations" is irrelevant - they have an obligation to notify. I'm not entirely clear what negotiation you'd even negotiate over... "We have a data breach, but we'll only follow our legal obligation to notify if you agree to give us a lower fine?"
2%: Breach of controller or processor obligations
4%: Breach of data subjects’ rights and freedoms
In any case, "behind the scenes negotiations" is irrelevant - they have an obligation to notify. I'm not entirely clear what negotiation you'd even negotiate over... "We have a data breach, but we'll only follow our legal obligation to notify if you agree to give us a lower fine?"
This does not seem nearly enough of a penalty for allowing crooks access to my address along with a neat little list of dates I won't be home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!
#177
Suspended
Join Date: Sep 2014
Programs: AC SE100K-1MM, NH, DL, AA, BA, Global Entry/Nexus, APEC..
Posts: 18,877
......Hey ho. Random drunken ramblings ! Polishing off all my fancy wines & spirits this evening given I'm bound to be burgled soon now that crooks have my address AND a nice little list of all the dates they know I'll be away from my home !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!
Looks like you're going to be needing an extra batch of exclamation marks.
I'll give you some of mine if you pour me a glass of one of your fancy wines.
#178
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
I haven’t seen any credit applications asking for someone’a passport number. If it’s the cover page of a passport, I can see that the DOB and DOP could potentially be useful. But the number?
A guest on Neil Cavudo’s morning show said criminals could duplicate passports by using someone’s passport number. I am not so sure. I have heard that a physical passport can be used to make a fake- but with just a number?
So I am really not so sure about the usefulness of one’s passport number to a criminal. Perhaps we shouldn’t worry about it? Anyone else care to enlighten us?
#179
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Hopefully with the help of the FBI, they can find out if it was foreign governments or sophisticated crooks did it.
Both SPG and Marriott had at least average level of IT staff and commercially available enterprise level security software . So the hack was able to be undetected since 2014 means it's should be a sophisticated hack that went around all the security.
I am prepared to show of understanding if Marriott/SPG was hacked by foreign governments. There is little defense on this type of hacking. Recall the Bloomberg news a month ago of Chinese government putting a small chip on server motherboards to hack Apple and other Silicon Valley giants to steal technology secrets. All elite government hacking teams have access to Operating System holes that maybe the original manufacturer (be it Microsoft or Google or Apple) don't know yet. National law enforcement agencies (including the FBI) also buys services from data security companies that sole purpose is to find vulnerability on devices/computers to help law enforcement "get in" when the accused is uncooperative with a court order. The point is... Every system has holes and those with deep pockets and deep talent (normally governments) can get through like a cyber version of Mission Impossible. It would be unrealistic for commercial entities to guard their system to the near impenetrable level like Pentagon/CIA guard their systems.
Both SPG and Marriott had at least average level of IT staff and commercially available enterprise level security software . So the hack was able to be undetected since 2014 means it's should be a sophisticated hack that went around all the security.
I am prepared to show of understanding if Marriott/SPG was hacked by foreign governments. There is little defense on this type of hacking. Recall the Bloomberg news a month ago of Chinese government putting a small chip on server motherboards to hack Apple and other Silicon Valley giants to steal technology secrets. All elite government hacking teams have access to Operating System holes that maybe the original manufacturer (be it Microsoft or Google or Apple) don't know yet. National law enforcement agencies (including the FBI) also buys services from data security companies that sole purpose is to find vulnerability on devices/computers to help law enforcement "get in" when the accused is uncooperative with a court order. The point is... Every system has holes and those with deep pockets and deep talent (normally governments) can get through like a cyber version of Mission Impossible. It would be unrealistic for commercial entities to guard their system to the near impenetrable level like Pentagon/CIA guard their systems.
Governments get hacked. Even tools used by the NSA and other such organizations around the world known to hack into various systems have seen their system penetration tools swiped and used by others despite the measures taken to guard their systems. Technology is not perfect, processes aren't perfect and the people involved in both are certainly not perfect. Not when it comes to government, not when it comes to the corporate sector. But that doesn't excuse Marriott for what has happened and may happen with this data in the time ahead.
Lot's of paranoia in this thread.
Data Breaches aren't exactly uncommon. And just because you can see the read the data, doesn't mean you can actually do anything with it if it is encrypted or incomplete.
If the door has been open at least 4 years - I'd certainly think someone by now would have been impacted - and I haven't read anything that any particular person has had an issue.
Data Breaches aren't exactly uncommon. And just because you can see the read the data, doesn't mean you can actually do anything with it if it is encrypted or incomplete.
If the door has been open at least 4 years - I'd certainly think someone by now would have been impacted - and I haven't read anything that any particular person has had an issue.
Unfortunately, Marriott isn't giving its customers enough details for the customers to make out all that Marriott knows about the breaches. Not that it will make all that much difference unless and until Marriott tells each and every customer all the info it had on that particular customer which was confirmed as being accessible to the hacker(s).
Last edited by GUWonder; Nov 30, 2018 at 4:06 pm
#180
Join Date: Dec 2007
Location: Body in Downtown YYZ, heart and mind elsewhere
Programs: UA 50K, refugee from AC E50K, Marriott Lifetime Plat
Posts: 5,132
2% of $22 billion = $457.88 million.
Let's round that off and say the GDPR fine alone could be in the $500 million+ range. Other countries may press for fines as well. And undoubtedly in the US at least there will be some class-action lawsuit.
Not to mention that Marriott will claim (possibly with justification) that the issue is primarily and SPG one and therefore the fines should be calculated only on the SPG unit of roughly $5 billion revenue. I suspect Marriott will devote substantial time / money to not only investigating and fixing the data leak, but also on various legal-related matters particularly if the EU tries to enforce GDPR to the fullest.