Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
#376
Join Date: Nov 2015
Location: BNE
Programs: NZ*G, QF Bronze, VA Red
Posts: 563
Nope. Not sure where you get that from.
However, I think these facts strongly suggest (pick your words) the theft was by a state actor rather than a private criminal. If it was an economic crime, certainly Amex or Chase would have noticed that there was a pattern of fraud in their MR/SPG cards that was different than their United/Delta cards. If it was an attempt to steal SPG points, certainly there would have been a bunch of people on here who noticed the coordinated theft before it was reported anywhere else. If it was to get the random passport number (most reservations won't have that -- only certain countries require that info), we'd see some reports of that.
On the other hand, if it was a sophisticated state actor that decided to collect a lot of data of who was where and when they were there for the purpose of adding to their intelligence database, we wouldn't see any of those things.
And Marriott wouldn't dare suggest anything about the state actor for fear they would face restrictions on doing business in that country. Of course, all the indicia of a state actor are pretty obvious and there is no indicia of private criminal activity.
However, I think these facts strongly suggest (pick your words) the theft was by a state actor rather than a private criminal. If it was an economic crime, certainly Amex or Chase would have noticed that there was a pattern of fraud in their MR/SPG cards that was different than their United/Delta cards. If it was an attempt to steal SPG points, certainly there would have been a bunch of people on here who noticed the coordinated theft before it was reported anywhere else. If it was to get the random passport number (most reservations won't have that -- only certain countries require that info), we'd see some reports of that.
On the other hand, if it was a sophisticated state actor that decided to collect a lot of data of who was where and when they were there for the purpose of adding to their intelligence database, we wouldn't see any of those things.
And Marriott wouldn't dare suggest anything about the state actor for fear they would face restrictions on doing business in that country. Of course, all the indicia of a state actor are pretty obvious and there is no indicia of private criminal activity.
They said the data dates back four years. I haven't seen them say that the exfiltration has been ongoing for four years.
Last edited by yosithezet; Dec 5, 2018 at 8:30 pm Reason: Removed personal comment in line with FT Rule 12.2
#377
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,409
Good point. For all we know from the public announcements, the breach could have occurred once only, shortly before August/September of this year.
Could there be some Starwood database that gets purged at regular intervals to delete data roughly four years after a stay has been completed? I can't think what the purpose would be in that there's a statute of limitations regarding claiming points and nights/stay credit and any billing/ credit card problems would also need to be resolved long before four years have elapsed. Unlikely, but maybe some limit on filing civil lawsuits, for example if a guest has been assaulted on the property?
Could there be some Starwood database that gets purged at regular intervals to delete data roughly four years after a stay has been completed? I can't think what the purpose would be in that there's a statute of limitations regarding claiming points and nights/stay credit and any billing/ credit card problems would also need to be resolved long before four years have elapsed. Unlikely, but maybe some limit on filing civil lawsuits, for example if a guest has been assaulted on the property?
#378
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
No, a nation state intelligence activity is no more certain than a sophisticated criminal enterprise. There are no more indicia of state involvement than there are of criminal activity. In fact there are less, since nation states tend to be better at hiding their activity.
https://www.cnbc.com/2018/12/06/clue...ate-china.html
"Hackers behind a massive breach at hotel group Marriott International left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter. ....
Former senior FBI official Robert Anderson told Reuters that the Marriott case looked similar to hacks that the Chinese government was conducting in 2014 as part of its intelligence operations.
"Think of the depth of knowledge they could now have about travel habits or who happened to be in a certain city at the same time as another person," said Anderson, who served as FBI executive assistant director until 2015.
Michael Sussmann, a former senior Department of Justice official for its computer crimes section, said that the long duration of the campaign was an indicator that the hackers were seeking data for intelligence and not information to use in cyber crime schemes.
"One clue pointing to a government attacker is the amount of time the intruders were working quietly inside the network," he said. "Patience is a virtue for spies, but not for criminals trying to steal credit card numbers."
***
Aren't these the points (less reference to tools as I don't have any inside information) I've suggested made it obvious from the beginning?
Last edited by yosithezet; Dec 5, 2018 at 8:31 pm Reason: Removing comment personal comment
#379
Join Date: Nov 2015
Location: BNE
Programs: NZ*G, QF Bronze, VA Red
Posts: 563
Obvious? Not at all. You seem determined to leap to this conclusion despite there being no concrete evidence of this. Any evidence is circumstantial at best.
"Hackers behind a massive breach at hotel group Marriott International left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter. ....
Former senior FBI official Robert Anderson told Reuters that the Marriott case looked similar to hacks that the Chinese government was conducting in 2014 as part of its intelligence operations.
Former senior FBI official Robert Anderson told Reuters that the Marriott case looked similar to hacks that the Chinese government was conducting in 2014 as part of its intelligence operations.
Michael Sussmann, a former senior Department of Justice official for its computer crimes section, said that the long duration of the campaign was an indicator that the hackers were seeking data for intelligence and not information to use in cyber crime schemes.
"One clue pointing to a government attacker is the amount of time the intruders were working quietly inside the network," he said. "Patience is a virtue for spies, but not for criminals trying to steal credit card numbers."
"One clue pointing to a government attacker is the amount of time the intruders were working quietly inside the network," he said. "Patience is a virtue for spies, but not for criminals trying to steal credit card numbers."
Aren't these the points (less reference to tools as I don't have any inside information) I've suggested made it obvious from the beginning?
#380
Join Date: Sep 2006
Location: HNL
Programs: UA GS4MM, MR LT Plat, Hilton Gold
Posts: 6,447
Personally, I could care less if the Chinese Government knows about my travel plans.
For all I know it was the US Government posing as the Chinese Government,
#381
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,719
I’d say 60-40 chance of a state actor, but it doesn’t sound like anything conclusive has been released as yet.
#382
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
The source of this has been obvious from the beginning. That being said, if you want more analysis beyond objective facts:
https://www.cnbc.com/2018/12/06/clue...ate-china.html
"Hackers behind a massive breach at hotel group Marriott International left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter. ....
Former senior FBI official Robert Anderson told Reuters that the Marriott case looked similar to hacks that the Chinese government was conducting in 2014 as part of its intelligence operations.
"Think of the depth of knowledge they could now have about travel habits or who happened to be in a certain city at the same time as another person," said Anderson, who served as FBI executive assistant director until 2015.
Michael Sussmann, a former senior Department of Justice official for its computer crimes section, said that the long duration of the campaign was an indicator that the hackers were seeking data for intelligence and not information to use in cyber crime schemes.
"One clue pointing to a government attacker is the amount of time the intruders were working quietly inside the network," he said. "Patience is a virtue for spies, but not for criminals trying to steal credit card numbers."
***
Aren't these the points (less reference to tools as I don't have any inside information) I've suggested made it obvious from the beginning?
State-sponsored hackers and other kinds of hackers aren't beyond trying to plant clues to try to distract or otherwise divert attention away from who was responsible. Whether or not that happened in this situation, who knows. But I wouldn't trust Kroll or its amen-choir "competitors" at this point on the Marriott data breach. I am more eager to see US federal cases made of this matter before I "amen" Kroll and its fellow travelers wanting to claim "state-sponsored attack".
Regardless of who perpetrated the data breach attack(s), Marriott is falling short in how it deals with customers who may have been impacted by this and Marriott deserves criticism for this situation. Unfortunately, I doubt that Marriott will do much of anything to cut back on its hoarding of customer data, and I doubt there will be much of any lesson for other travel service providers unless and until this kind of thing costs a company like Marriott several hundred million US dollars or more. Nothing in the PR statements from Marriott or from its directly hired henchmen indicate anything about being committed to cutting back on how much personal data Marriott will collect and for how long it will retain it.
Last edited by GUWonder; Dec 6, 2018 at 2:51 am
#383
Join Date: Apr 2001
Posts: 592
I strongly agree. How Marriott deals with customers is entirely Marriott's choice. That is different from the original hack in which there was an outside party attacking.
#384
FlyerTalk Evangelist
Join Date: Jun 2006
Location: IAD/DCA
Posts: 31,797
"in order to sell more expensive security services"
same as "monitoring" services getting paid a fortune to provide "free" service to customers (who then pay after it ends)
companies are investing more in security but a lot of it is provided by questionable firms
are financial institutions seeing many breaches? how much do they spend on security?
how is marriott breach different from past breaches?
same as "monitoring" services getting paid a fortune to provide "free" service to customers (who then pay after it ends)
companies are investing more in security but a lot of it is provided by questionable firms
are financial institutions seeing many breaches? how much do they spend on security?
how is marriott breach different from past breaches?
#387
Join Date: Jul 2002
Location: Canada
Posts: 628
It's unbelievably simple to know that major travel service providers ask for and keep a lot of customers' personal information. And it's unbelievably simple to know that such information is targeted by hackers -- criminals and even state-backed actors -- for a reason.
Maybe the information should be more properly protected (by the company wanting all such info) or perhaps even not kept at all by the company? The less you have, the less you have to simply protect? Isn't it that simple?
Maybe the information should be more properly protected (by the company wanting all such info) or perhaps even not kept at all by the company? The less you have, the less you have to simply protect? Isn't it that simple?
I am sick of businesses demanding, as a condition of the transaction, one's surrendering to a digital database info that is of no use (e.g. even if one is specifying Senior Rate for a rez, one needs to be prepared to supply proof of DOB at the desk, but to supply proof doesn't mean said proof needs to be kept in a database.
Convenience should be a distant second to security. Trouble is, cat is out of the bag now.
#388
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,719
An increasing number of countries (started by the US) request advance notice of passport details from airlines, which is how this all started. This is separate to the "fit for travel" assessment which happens at the airport (e.g. do you have your passport, visa, return tickets, no dodgy visas from local rivals, etc.).
#389
FlyerTalk Evangelist
Join Date: Feb 2003
Location: Denver, CO, USA
Programs: Sometimes known as [ARG:6 UNDEFINED]
Posts: 26,694
It's farcical. You go to Kroll to enroll, enter a randomly generated password...and get an error saying "Your password is too long." Not too short; too long.
And of course you then have to enter all sorts of personal info at Kroll.
If Starwood can be breached...if Equifax can be breached...then Kroll can be breached. @:-)
And of course you then have to enter all sorts of personal info at Kroll.
If Starwood can be breached...if Equifax can be breached...then Kroll can be breached. @:-)
#390
FlyerTalk Evangelist
Join Date: Jun 2006
Location: IAD/DCA
Posts: 31,797
kind of like monitoring services - give us all of your information so we can monitor it