Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Mar 13, 2019, 5:47 pm
#496
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
Why wouldn't you express the same outrage about the state actor involved in this?
There are no indications that anyone has been impacted by this ... no reports of identify theft, no reports of data being sold, and Amex has publicly reported they haven't seen the slightest indication that there are issues with Amex SPG card fraud that seem correlated to the state actor data theft.
A state actor who seeks to compile multiple sources of data isn't using it for identify fraud. When I was in country X a couple of weeks ago, they scanned my passport at immigration. Do you think the state actor hasn't hacked that database and has all the passport info for everyone coming in and leaving? I'll be in country Y on Sunday, they'll scan my passport when I enter and leave. Do you think the state actor has hacked their database?
I get the outrage but Lifelock and Kroll or any other of the several monitoring services I have from various hacks can't do anything to deal with this issue.
There are no indications that anyone has been impacted by this ... no reports of identify theft, no reports of data being sold, and Amex has publicly reported they haven't seen the slightest indication that there are issues with Amex SPG card fraud that seem correlated to the state actor data theft.
A state actor who seeks to compile multiple sources of data isn't using it for identify fraud. When I was in country X a couple of weeks ago, they scanned my passport at immigration. Do you think the state actor hasn't hacked that database and has all the passport info for everyone coming in and leaving? I'll be in country Y on Sunday, they'll scan my passport when I enter and leave. Do you think the state actor has hacked their database?
I get the outrage but Lifelock and Kroll or any other of the several monitoring services I have from various hacks can't do anything to deal with this issue.
Mar 13, 2019, 6:56 pm
#498
FlyerTalk Evangelist
Join Date: May 2002
Location: Pittsburgh
Programs: MR/SPG LT Titanium, AA LT PLT, UA SLV, Avis PreferredPlus
Posts: 31,008
Mar 13, 2019, 7:26 pm
#499
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
I think he's suggesting that my outrage should be directed to the hackers that stole the data, as opposed to those (who I trusted with the data) who had it stolen from them. Because, of course, as is customary on flyertalk, the company did nothing wrong, and I should have no grievance at all.
Mar 13, 2019, 7:36 pm
#500
FlyerTalk Evangelist
Join Date: Jun 2007
Location: Toronto
Programs: UA 1K, AC MM E75, Marriott LT Ti, IHG Dia Amb, Hyatt Glob
Posts: 15,521
I think he's suggesting that my outrage should be directed to the hackers that stole the data, as opposed to those (who I trusted with the data) who had it stolen from them. Because, of course, as is customary on flyertalk, the company did nothing wrong, and I should have no grievance at all.
https://www.flyertalk.com/forum/marr...fected-33.html
Mar 13, 2019, 7:55 pm
#502
FlyerTalk Evangelist
Join Date: Jan 2007
Location: BOS/UTH
Programs: AA LT PLT; QR GLD; Bonvoy LT TIT
Posts: 12,755
I think he's suggesting that my outrage should be directed to the hackers that stole the data, as opposed to those (who I trusted with the data) who had it stolen from them. Because, of course, as is customary on flyertalk, the company did nothing wrong, and I should have no grievance at all.
Mar 13, 2019, 9:03 pm
#503
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
I think he's suggesting that my outrage should be directed to the hackers that stole the data, as opposed to those (who I trusted with the data) who had it stolen from them. Because, of course, as is customary on flyertalk, the company did nothing wrong, and I should have no grievance at all.
But, LifeLock is a business focused on selling identify theft coverage to individual consumers. Even in cases where there was financial data theft of credit card data, I don't recall any business that ever used LifeLock. Rather, Marriott, like many companies, has cyber theft insurance coverage. It's carrier likely had an established relationship with Kroll who provides the same service focused on selling to corporate entities. Substantively, what is the difference?
More importantly, have you thought through the distinction of (a) gangs that steal credit card data and other information for sale and (b) a state actor that steals the data for the purpose of maintaining an extensive database on individuals. They're both offensive -- the latter more so since its state sanctioned -- but there is nothing Lifelock,, Kroll, or any of the other tracking services can do with the data the state actor stole.
Mar 14, 2019, 8:54 am
#504
FlyerTalk Evangelist
Join Date: Jul 2006
Location: Upper Sternistan
Posts: 10,044
I don’t know why people bother filling in the form. We know what data was on out SPG profiles and we can very well imagine that all that info was forwarded to hotels with any booking. Apparently, SPG was also collecting passoort information (which was not visible on the profile). That was new to me, and how they collected that info is just a wild guess. In any event, given we know all that by now, why bother filling an additional form to get a report that really tells nothing we shouldn’t already know at this instance.
I had no idea that they had my passport info on file. Now I know.
Why not fill out the form? Does it really take too much time?
Mar 14, 2019, 11:12 am
#505
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
Many countries require the hotel to keep passport info on file. Arne testified that legacy Marriott properties kept the info at the hotel and legacy SPG properties stored it on the SPG reservation database. Each option has its own risk/benefit from a security perspective.
Mar 14, 2019, 12:23 pm
#506
FlyerTalk Evangelist
Join Date: Jul 2006
Location: Upper Sternistan
Posts: 10,044
Many countries require the hotel to keep passport info on file. Arne testified that legacy Marriott properties kept the info at the hotel and legacy SPG properties stored it on the SPG reservation database. Each option has its own risk/benefit from a security perspective.
Mar 14, 2019, 12:28 pm
#507
Suspended
Join Date: Oct 2004
Location: Bay Area
Programs: DL SM, UA MP.
Posts: 12,729
Many countries require the hotel to keep passport info on file. Arne testified that legacy Marriott properties kept the info at the hotel and legacy SPG properties stored it on the SPG reservation database. Each option has its own risk/benefit from a security perspective.
Do they require it?
I know countries like Italy require that passports be copied because in order to access the Internet in Italy, you have to be registered via those passports, for some anti-terrorism laws.
But to actually keep copies of the passport?
It's one thing for a big global chain to scan and store those records but what about all those family-run hotels. You think they're keeping xeroxes of the passports of their guests?
I think global chains keep records on their guests to data mine and resell data more than to comply with any possible laws.
Mar 14, 2019, 1:11 pm
#508
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
Do they require it?
I know countries like Italy require that passports be copied because in order to access the Internet in Italy, you have to be registered via those passports, for some anti-terrorism laws.
But to actually keep copies of the passport?
It's one thing for a big global chain to scan and store those records but what about all those family-run hotels. You think they're keeping xeroxes of the passports of their guests?
I think global chains keep records on their guests to data mine and resell data more than to comply with any possible laws.
I know countries like Italy require that passports be copied because in order to access the Internet in Italy, you have to be registered via those passports, for some anti-terrorism laws.
But to actually keep copies of the passport?
It's one thing for a big global chain to scan and store those records but what about all those family-run hotels. You think they're keeping xeroxes of the passports of their guests?
I think global chains keep records on their guests to data mine and resell data more than to comply with any possible laws.
According to Arne's testimony before Congress, legacy Marriott kept it at the hotel level. It seems like the current reservation system does as well. The downside of that is that the IT security for a Sotitel in Lima is questionable and accessible to lots of people. On the other hand, there's no great collection of data. Legacy SPG kept it on the overall system which provides greater security (although preventing a highly sophisticated state actor is always a challenge) but has a great collection of data.
As a practical matter, if you've traveled to Hong Kong, the state actor already absolutely has your passport info. Similarly, I presume if you've traveled to South America, much of Asia, Africa, the Middle East, and some countries in Europe, the state actor has it from there as well.
Mar 14, 2019, 2:27 pm
#509
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
I think one year for such a serious breach is inadequate. But, of course the that will be missed on the Marriott apologist.
Mar 14, 2019, 2:29 pm
#510
Join Date: Feb 2009
Location: SEA
Programs: UA SP, DL SM MM, AS 75K, SPG Platinum, Hyatt Diamond.
Posts: 2,596
I did suggest your outrage should be properly directed at the to the state actor. That being said, I think the communication and messaging on this from the company has been poor.
But, LifeLock is a business focused on selling identify theft coverage to individual consumers. Even in cases where there was financial data theft of credit card data, I don't recall any business that ever used LifeLock. Rather, Marriott, like many companies, has cyber theft insurance coverage. It's carrier likely had an established relationship with Kroll who provides the same service focused on selling to corporate entities. Substantively, what is the difference?
More importantly, have you thought through the distinction of (a) gangs that steal credit card data and other information for sale and (b) a state actor that steals the data for the purpose of maintaining an extensive database on individuals. They're both offensive -- the latter more so since its state sanctioned -- but there is nothing Lifelock,, Kroll, or any of the other tracking services can do with the data the state actor stole.
But, LifeLock is a business focused on selling identify theft coverage to individual consumers. Even in cases where there was financial data theft of credit card data, I don't recall any business that ever used LifeLock. Rather, Marriott, like many companies, has cyber theft insurance coverage. It's carrier likely had an established relationship with Kroll who provides the same service focused on selling to corporate entities. Substantively, what is the difference?
More importantly, have you thought through the distinction of (a) gangs that steal credit card data and other information for sale and (b) a state actor that steals the data for the purpose of maintaining an extensive database on individuals. They're both offensive -- the latter more so since its state sanctioned -- but there is nothing Lifelock,, Kroll, or any of the other tracking services can do with the data the state actor stole.