Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Nov 30, 2018, 5:11 am
#16
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Doesn't change the fact that mergers/acquisitions draw down IT resources in an environment where even the bandwidth to apply such resources may be challenged by the needs of management pursuing an M&A and are challenged when it comes to actual integration and delivering to the cost-cut targets the M&A peddlers sold to financial market participants. Absent the Marriott acquisition of Starwood, the data breaches almost certainly wouldn't have been as bad as with the Marriott acquisition of Starwood.
This has nothing to do with Starwood IT being better than Marriott IT or the other way around; it has to do with what happens in the real world of operational integration post-acquisition and what risks M&A activity create/exacerbate in that regard.
It could be spun that way, but I doubt that a lot of Marriott IT employees are going to see a big bonus coming there way because of this issue being identified.
The data breaches continued to take place even after GDPR became the proverbial law of the land in the EU. So just because a breach method commenced prior to GDPR becoming the law of the land doesn't free Marriott (inclusive of Starwood) from its GDPR compliance requirements for breaches that continued after GDPR became the law of the land.
This has nothing to do with Starwood IT being better than Marriott IT or the other way around; it has to do with what happens in the real world of operational integration post-acquisition and what risks M&A activity create/exacerbate in that regard.
The data breaches continued to take place even after GDPR became the proverbial law of the land in the EU. So just because a breach method commenced prior to GDPR becoming the law of the land doesn't free Marriott (inclusive of Starwood) from its GDPR compliance requirements for breaches that continued after GDPR became the law of the land.
Last edited by GUWonder; Nov 30, 2018 at 5:24 am
Nov 30, 2018, 5:14 am
#17
Join Date: Jul 2005
Posts: 1,074
Ridiculous to say this Predates Marriott ownership of Starwood Soley. They day they Merged is the Day Marriott was responsible for Starwood (and any legacy issues). That is why you perform DD before you make a Purchase the size of Starwood.
Marriott has failed to integrate the 2 companies in a timely manner and in a way that doesn't impact their customers. This is just another mistake in the long list.
Marriott has failed to integrate the 2 companies in a timely manner and in a way that doesn't impact their customers. This is just another mistake in the long list.
Nov 30, 2018, 5:15 am
#18
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
The data breaches continued to take place even after GDPR became the proverbial law of the land in the EU. So just because a breach method commenced prior to GDPR becoming the law of the land doesn't free Marriott (inclusive of Starwood) from its GDPR compliance requirements for breaches that continued after GDPR became the law of the land.
Nov 30, 2018, 5:17 am
#19
Join Date: Oct 2009
Location: ATL
Programs: DL PM 2 Mil Miler, HZ PC, Marriott LT TI, AMB, Hilton Diamond
Posts: 556
Yes the merger integration has been mess but this one has been going since 2014, that's before Marriott even announced they were buying Starwood. The breach was probably found when they were merging computer systems.
Nov 30, 2018, 5:23 am
#20
Join Date: Nov 2008
Programs: SPG-Plat, Hilton-Diamond, Club Carlson-Silver, Cathay-Diamond, Virgin-Gold
Posts: 2,183
I am not a fan of Marriott and certainly been vocal about how poor the merger has been and the leadership failures of Marriott in the process. It has been pretty much a disaster and a continuing one at that!
That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.
It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.
I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!
That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.
It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.
I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!
That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
Nov 30, 2018, 5:32 am
#22
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Companies with retail customers of sorts haven't yet gotten around to really caring all that much about the privacy of all of their customers, and the companies seem to still have a sort of willingness to take the lumps from IT-related failures and arising data breaches rather than splurging to avoid it going wrong at all. Maybe the GPDR-related fines will change that game, but even in Europe GDPR compliance is still a work in progress and it seems that GDPR is sort of another fad of the day for professional service firms/types to make more money while delivering very little that is concrete other than some forms for people to fill out or more fine print to read/skim/skip.
Nov 30, 2018, 5:32 am
#23
Join Date: Aug 2018
Posts: 902
What this comes up to is that by buying a derelict company with an undisclosed/unknown serious data breach Marriott bought itself a tremendous potential liability.
The EU fines alone may get into the hundreds of millions.
SPG has always had a pretty weak IT, especially in what relates to data protection. A FT thread from a few years ago (can’t bother to search it) documents a bug that allowed easy access to anyone’s reservation details just by making minor modifications to the web address and how it took Starwood several weeks to correct that after the bug was made public.
Nov 30, 2018, 5:35 am
#24
Join Date: Dec 2014
Location: Haze gray and underway
Programs: UA 1K 2MM, HH Diamond, Marriott 'clink clink' Titanium
Posts: 1,784
I am not a fan of Marriott and certainly been vocal about how poor the merger has been and the leadership failures of Marriott in the process. It has been pretty much a disaster and a continuing one at that!
That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.
It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.
I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!
That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.
It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.
I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!
That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
Even with no transactions with spg (ever) I will monitor my cards a little closer and I would still not be surprised to receive an invitation to do so again.
Nov 30, 2018, 5:36 am
#25
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
I am not a fan of Marriott and certainly been vocal about how poor the merger has been and the leadership failures of Marriott in the process. It has been pretty much a disaster and a continuing one at that!
That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.
It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.
I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!
That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
That said I feel soe of the comments here holding Arne & Marriott to blame for this are somewhat unfair! Yes Marriott have a responsibility here as they have owned the company with the breach for the last 2 years! that said suggesting that some sort of audit ahead of time or that Marriott's IT should have caught this in the last 2 years when SPG's IT didnt catch it happening in the first place or for the 2 years that followed prior to the merger is in my opinion not fair or reasonable.
It is far harder to identify these things after the event then when they are actually happening and being created, add in that the people who should have known SPG IT the best are SPG tech not external Marriott tech it would make it even harder.
I am all for bashing Marriott when they fully deserve it but on this I feel by using it as an excuse to bash them some more about the merger issues actually reduces the integrity of complaining about the merger issues!
That all said Marriott now have to step up and deal with this and those affected in a proper and correct way not trying to sidestep and avoid like they seem to try and do. If they dont do that then they deserve all the negativity they get as it is now their responsibility even if it didn't start with them!
And even before that, what about Marriott's due diligence for investigating and figuring out its risk/exposure from potential privacy protection breakdowns at a target company it eagerly wanted to swallow whole? "You are what you eat" is something that M&A pursuers should consider when trying to put food on the plate. What I'd like to see Marriott do is the following: come out and note specificially how Marriott found out about this breach that was running into the fall of this year.
Nov 30, 2018, 5:43 am
#28
Join Date: Dec 2014
Location: Haze gray and underway
Programs: UA 1K 2MM, HH Diamond, Marriott 'clink clink' Titanium
Posts: 1,784
More likely 500 millions of unique reservation transactions. So some of us have many hundreds of entries to the 'you're screwed' lottery.
Nov 30, 2018, 5:43 am
#29
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Not 500 million unique persons. Way less than that is my suspicion. But hotel data systems have been prime targets for exploitation by criminal outfits and for governmental actors.
The adequacy/inadequacy of such due diligence is all upon Marriott. Before and after its acquisition closed.
The adequacy/inadequacy of such due diligence is all upon Marriott. Before and after its acquisition closed.
Nov 30, 2018, 5:43 am
#30
Join Date: Mar 2010
Posts: 1,324