Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Dec 2, 2018, 10:59 pm
#286
Join Date: Jun 2004
Location: San Diego
Programs: IHG Spire Amb, HH Diamond, DL Diamond and 1MM
Posts: 3,610
What's the Evil Use of Passport Numbers?
In the news today, Senator Chuck Schumer says Marriott should pay everyone's fee for a new passport.
Dec 2, 2018, 11:34 pm
#287
Moderator, El Al and Marriott Bonvoy, FlyerTalk Evangelist
Join Date: Feb 2005
Location: SIN
Programs: SQ*G, Mar LTT, Hyatt Glb, AA LTG, LY, HH, IC, BA, DL, UA SLV
Posts: 12,018
Dec 3, 2018, 12:18 am
#288
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,717
Actually, Marriott’s legal obligations to notify people of data breaches are not in T&C’s, they are in national and supranational laws which specify that notification must be immediate. Marriott T&C’s are irrelevant here. In the EU in particular this is not just some small irrelevant matter: data protection is taken very seriously and improper custodianship has massive fines attached - it works very differently than in less consumer focused regimes like in the US.
All i’m saying is that knowing Marriott I can well imagine that they might be technically incapable of fulfilling their legal obligation to many members but we know for sure they are not incapable of notifying Ambassador members and therefore them not yet meeting their legal obligation is a matter of choice rather than incompetence. The point is not about whether some guests hear before others, which is irrelevant. The point is notifying each customer in as timely manner as possible in line with legal obligations.
Last edited by yosithezet; Dec 5, 2018 at 2:48 am Reason: Deleted redacted content.
Dec 3, 2018, 2:43 am
#289
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
With a passport number for a named person whose birthdate is known, accessing their travel records to some countries may become much, much simpler.
For example, if I were in the TATL criminal enterprise of home break-ins aimed at the relatively wealthy Germans with vacation homes in Florida, I could pretty much figure out when to rob the German houses of such Germans and the Florida homes of such Germans subject to this data breach if I had the passport numbers of those German guests who have been staying at Marriott properties during this year or last year. And that is with me using just publicly-available data. This wouldn't work like that if using a US passport, but there are other ways to use a US passport number to engage in fraud and theft of various sorts.
With a US passport number and name of the person, it may be easy to create a fake biodata passport image with a photo substitution included and use that along with some other data to open or access accounts of one or more persons in some jurisdictions. US passport number and SSN and a little access to US credit reporting data can be more useful to a knowledgeable criminal than even many in law enforcement would realize until it hits them over the head.
With all due respect, the above claim about Marriott having no obligation to inform of a breach earlier is a questionable claim at best. Marriott doesn't operate only in one corporate-kiss-up jurisdiction. It operates in a variety of jurisdictions and is subject to the legal and regulatory authority in many, many countries which aren't just one's own.
Last edited by yosithezet; Dec 5, 2018 at 2:50 am Reason: Removed redacted content
Dec 3, 2018, 2:58 am
#290
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Disgruntled employees -- or those expecting to soon be disgruntled employees -- of the company or of the company's contractors has been a possibility for data breaches, and the motivations for doing something like this can vary. Even without an employee/contractor being disgruntled, some such persons may have done such a thing for reasons that had nothing to do with criminal or espionage activity (if even different), but it ended up being discovered and used for such activity.
Last edited by yosithezet; Dec 5, 2018 at 2:51 am Reason: Redacted content removed
Dec 3, 2018, 5:16 am
#291
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
So Marriott now sends emails, at least to those it may think are covered by GDPR. I guess this is Marriott's idea of informing customers within 72 hours of breach recognition. 
Dec 3, 2018, 5:37 am
#292
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,717
Dec 3, 2018, 5:54 am
#293
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
I haven't, but some have gotten the following: https://loyaltylobby.com/2018/12/02/...rity-incident/
My guess is that Marriott is having to pay for more billable hours from more lawyers in more jurisdictions than usual. but I won't have to guess for very long. Whatever gets confirmed, Marriott has shown to have lost the Boy Scouts' way: "be prepared".
My guess is that Marriott is having to pay for more billable hours from more lawyers in more jurisdictions than usual. but I won't have to guess for very long. Whatever gets confirmed, Marriott has shown to have lost the Boy Scouts' way: "be prepared".
Dec 3, 2018, 6:01 am
#294
Join Date: Jun 2008
Location: BDU
Programs: DL:MM, Marriott:LTT
Posts: 8,779
Correct. And those legal obligations have nothing to do with your being an Ambassador member, which provides you with some benefits per the T&Cs, but you keep stating Marriott should have reached out to you as an Ambassador member through your Ambassador, which is not so. And it makes sense that they do not want several different channels providing information so they are not creating a special earlier communication to Ambassador members or through Ambassadors, which would create confusion.
Last edited by yosithezet; Dec 5, 2018 at 2:53 am Reason: Removed content in line with FT Rule 12.2
Dec 3, 2018, 6:25 am
#295
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Correct. And those legal obligations have nothing to do with your being an Ambassador member, which provides you with some benefits per the T&Cs, but you keep stating Marriott should have reached out to you as an Ambassador member through your Ambassador, which is not so. And it makes sense that they do not want several different channels providing information so they are not creating a special earlier communication to Ambassador members or through Ambassadors, which would create confusion.
Last edited by yosithezet; Dec 5, 2018 at 2:53 am Reason: Removed redacted content.
Dec 3, 2018, 6:58 am
#296
Join Date: Apr 1999
Location: Montréal, Canada
Posts: 1,610
Security Nightmare
I just typed Marriott into the Chrome search field and landed on someone's search page complete with name, status and number of points. The person is not known to me, hence this is not a residual page from a previous search. Are my account details visible to others as well? Marriott's IT department has truly come off the rails.
Dec 3, 2018, 7:19 am
#297
Join Date: Jun 2008
Location: BDU
Programs: DL:MM, Marriott:LTT
Posts: 8,779
I would bet my law degree that any difference in obligation to different customers has absolutely nothing to do with the poster being an Ambassador member or having an Ambassador. Ambassador member benefits are contractual between the member and the company, have to do with the marketing program only and are spelled out in the T&Cs.
Last edited by yosithezet; Dec 5, 2018 at 2:54 am Reason: Removed redacted content
Dec 3, 2018, 7:37 am
#298
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
I would bet my law degree that any difference in obligation to different customers has absolutely nothing to do with the poster being an Ambassador member or having an Ambassador. Ambassador member benefits are contractual between the member and the company, have to do with the marketing program only and are spelled out in the T&Cs.
I have no doubt that the jurisdictions under which a US law degree means much of anything aren’t all the jurisdictions where Marriott has liability exposure arising from this breach. I also have no doubt that there is nothing in the Marriott T&Cs applicable to Ambassador customers that caps the ability of that relationship being used to consider whether or not Marriott made all best efforts to inform the impacted customer as fast as could be done or should have been done.
Last edited by yosithezet; Dec 5, 2018 at 2:55 am Reason: Removed content in line with FT Rule 12.2
Dec 3, 2018, 7:50 am
#299
Join Date: Oct 2013
Location: ORD
Programs: UA Silver, Marriott Platinum/LT Platinum, Hilton Gold
Posts: 5,594
C'mon. Being a Marriott defender is one thing, but Marriott detected the hack 2 days after the takeover, 2 months or 2 years?
I'm sorry but Marriott is in now way ahead of the curve on anything IT-related.
As a legacy SPG Platinum w/ Ambassador, yes I am angry that this could go on for so long, but in its typical bumbling way with IT-related issues the big parent company cannot even bother to send out an email with an update to a member such as myself.
I'm sorry but Marriott is in now way ahead of the curve on anything IT-related.
As a legacy SPG Platinum w/ Ambassador, yes I am angry that this could go on for so long, but in its typical bumbling way with IT-related issues the big parent company cannot even bother to send out an email with an update to a member such as myself.
For what it's worth, I agree that Marriott needs to send out emails. Probably the lawyers are working on that now. It affects me personally as I've made many SPG reservations during those years, and am wondering if and how I'm affected. But any damage is done at this point so I'm not sure it matters to me if an email was sent now or a week from now. Maybe the hackers have quietly been sitting on my credit card info for years and now that the announcement is made they're going to start spending like crazy? I will say, however, for those who had passport info on reservations, that's a more serious issue, so I hope they inform and provide some type of remedy to those people quickly.
Dec 3, 2018, 8:00 am
#300
Join Date: Apr 2001
Posts: 592
Given the total and complete mess that now passes for Marriott/Starwood's loyalty program, I am imagining the hackers currently trying to get the stay history corrected on the 327,000,000 accounts Starriott gave them access to.
Heck, let's just call this an enhancement to the mess of a program. Congratulations, now none of us have to worry about our missing stays.
Heck, let's just call this an enhancement to the mess of a program. Congratulations, now none of us have to worry about our missing stays.