Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Dec 1, 2018, 8:38 pm
#256
Join Date: Oct 2009
Posts: 502
Which phone number or email address should I use to contact Marriott to claim compensation. Is Marriott going to take responsibility for their carelessness in handling our personal information and issue a proper and material apology ? A Category 8 7-night certificate would be appropriate. Alternatively, Marriott's CEO could make up for the shame brought on his company by kneeling directly on the ground and prostrating himself on live TV to apologize to customers (as in Japanese custom).
Dec 1, 2018, 9:29 pm
#257
Join Date: Nov 1999
Location: MEX/YVR/YYF
Programs: AS MVP/AC75K/AM Gold/UA*S/SPG-Marriott Lifetime Titanium/Accor-FPC Gold/HHDiamond/Hyatt Exp
Posts: 5,035
The SPG bashing is going on because the hack happened under SPG's watch, not Marriott's. Marriott was the one who detected the hack. There's a whole lot of "kill the messenger" going on in this thread. But you're right that it's Marriott's issue now since they bought SPG's hacked reservation system.
I wonder if you'd be calling for lawsuits and fines if this had been discovered in 2015. Again, the only purpose this serves is harming the company that discovered and is trying to fix the data breach that occurred in a company that acquired prior to the acquisition. No one likes when this happens, but it's hardly abnormal these days. I'd much rather see Marriott use the money to help the affected customers in some way than to pay a fine to the government...and no, I don't think both have to happen. Should the company be fined for a problem it didn't cause? If I buy a house and then find a dead body in the walls, should I be charged with murder?
I wonder if you'd be calling for lawsuits and fines if this had been discovered in 2015. Again, the only purpose this serves is harming the company that discovered and is trying to fix the data breach that occurred in a company that acquired prior to the acquisition. No one likes when this happens, but it's hardly abnormal these days. I'd much rather see Marriott use the money to help the affected customers in some way than to pay a fine to the government...and no, I don't think both have to happen. Should the company be fined for a problem it didn't cause? If I buy a house and then find a dead body in the walls, should I be charged with murder?
I'm sorry but Marriott is in now way ahead of the curve on anything IT-related.
As a legacy SPG Platinum w/ Ambassador, yes I am angry that this could go on for so long, but in its typical bumbling way with IT-related issues the big parent company cannot even bother to send out an email with an update to a member such as myself.
Dec 2, 2018, 12:07 am
#259
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Naah. The source of this is an easy layup.
Lets see ... someone planted a system for mining data in 2014. The data they pulled had the ability to track who and where, but the credit card data was potentially encrypted. Certainly in the past four years, if this was done for economic purposes, Amex would have noticed a pattern of fraud tied to SPG Amex holders since they would have been disproportionately impacted by any fraud aspects of that. Seen any reports on here from SPG Amex holders ... saying they were victims of fraud? Many of us have monitoring services that detect identity information being sold on the dark web. Again ... seen any reports of that from legacy SPG folks? The lack of selling that information again suggests a state actor.
And then, they've been mining the data since 2014. Most of the economic data breaches are usually hit and run, rather than extended mining.
The outrage here at the legacy SPG folks should really be focused on a certain state actor.
Lets see ... someone planted a system for mining data in 2014. The data they pulled had the ability to track who and where, but the credit card data was potentially encrypted. Certainly in the past four years, if this was done for economic purposes, Amex would have noticed a pattern of fraud tied to SPG Amex holders since they would have been disproportionately impacted by any fraud aspects of that. Seen any reports on here from SPG Amex holders ... saying they were victims of fraud? Many of us have monitoring services that detect identity information being sold on the dark web. Again ... seen any reports of that from legacy SPG folks? The lack of selling that information again suggests a state actor.
And then, they've been mining the data since 2014. Most of the economic data breaches are usually hit and run, rather than extended mining.
The outrage here at the legacy SPG folks should really be focused on a certain state actor.
Hit and run data theft is only part of the picture of how some non-state actor criminals engage in data theft.
This doesn’t exclude the possibility of a state actor or state-sponsored actors being the data thief in this situation, but there is definitely no certainty that extended data theft can only be done by state actors.
A lot of illegally acquired data about real persons and their accounts is stored and sold as encrypted databases that won’t come up with paid darkweb searches even when marketed and sold via the darkweb means. It’s not unusual for criminal to criminal transactions of this sort to involve one party revealing only a very tiny sample of all the stolen data and then sending over the whole stolen data by sending over the decryption elements after being paid in full. It’s also not all that unusual for some criminals to try to blackmail targets — corporate ones too —using stolen data as a means to try to negotiate over payment terms and/or to collect payment for the data.
And even as this could have been done by a state actor or state-sponsored actor, that doesn’t absolve Marriott of responsibility for the data breach under Marriott’s “watch” too. If anything, there are elements of Marriott’s response to the data breach that invite questions about Marriott’s technology competency and maybe even its legal competency.
Trying to hide behind “.... but it was a sophisticated state actor” line only goes so far. Especially when Marriott has been holding back in ways that may be questionable.
Last edited by GUWonder; Dec 2, 2018 at 1:11 am
Dec 2, 2018, 2:27 am
#260
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,717
While I don’t think it’s realistic that everyone who ever made a booking gets a $20,000 hotel stay in compensation, I am rather unhappy that as an Ambassador client I’ve not yet received a notification email.
Dec 2, 2018, 2:30 am
#261
Join Date: Nov 2017
Posts: 3,359
Dec 2, 2018, 2:42 am
#262
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
And even as this could have been done by a state actor or state-sponsored actor, that doesn’t absolve Marriott of responsibility for the data breach under Marriott’s “watch” too. If anything, there are elements of Marriott’s response to the data breach that invite questions about Marriott’s technology competency and maybe even its legal competency.
Trying to hide behind “.... but it was a sophisticated state actor” line only goes so far. Especially when Marriott has been holding back in ways that may be questionable.
Trying to hide behind “.... but it was a sophisticated state actor” line only goes so far. Especially when Marriott has been holding back in ways that may be questionable.
There are tools and methods out there that could have spotted this issue long ago. But Starwood, then Marriott, chose to not spend the necessary funds and effort to manage their networks properly.
Dec 2, 2018, 2:44 am
#263
Join Date: Nov 2015
Location: BNE
Programs: NZ*G, QF Bronze, VA Red
Posts: 563
You don't need to mention the part about being an Ambassador client. Your level in the loyalty program should have absolutely nothing to do with the expectation that Marriott fulfil its legal obligation to notify customers in a timely manner of the data breach. And no, some website somewhere on the internet run by a reputation management company does not count. As soon as the information was known, Marriott should have tasked their marketing team with using that giant email database they have to notify any and all affected customers. But they didn't. They got straight in touch with Kroll and told them "manage the reputational damage". Not acceptable. The company has failed the customers both ethically and legally.
Dec 2, 2018, 3:08 am
#264
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,717
Agreed, but my thinking of referencing my Ambassador was that it could be conceivable that the delay in notifying people was one of incompetence given all the problems that Marriott has with basic email.
However, for those of us with Ambasadors it would have been trivial to get your Ambassadors to manually email each of us and be ready for personal responses. It is a matter of indifference that this has not yet been done.
However, for those of us with Ambasadors it would have been trivial to get your Ambassadors to manually email each of us and be ready for personal responses. It is a matter of indifference that this has not yet been done.
Dec 2, 2018, 5:53 am
#266
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,717
Dec 2, 2018, 6:00 am
#267
Join Date: Nov 2011
Location: Virginia
Programs: HHonors Gold, IHG Platinum, Marriott nobody
Posts: 470
While I would be happy to receive a personalized email notification, I can also understand the challenge faced by Marriott in sending that out to 500 million guests. Can you imagine the potential liability for notifying someone that their information had been hacked and later turn out they were not?
Some people may incur expenses in changing documents and information once they are told their information had been hacked. I would hate to go through the process of changing the passport and credit cards if my information had not been hacked. Although I recognize the odds, 500 million guests!
I would rather get an accurate personalized notification that I can act on, than a vague notification that has nothing new beyond what has been in the news.
Some people may incur expenses in changing documents and information once they are told their information had been hacked. I would hate to go through the process of changing the passport and credit cards if my information had not been hacked. Although I recognize the odds, 500 million guests!
I would rather get an accurate personalized notification that I can act on, than a vague notification that has nothing new beyond what has been in the news.
Dec 2, 2018, 6:24 am
#268
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Dec 2, 2018, 6:30 am
#269
A FlyerTalk Posting Legend
Join Date: Dec 2000
Location: Potomac Falls, VA
Programs: AA Plat 2MM, MR Gold, Avis Pref
Posts: 41,109
Agreed, but my thinking of referencing my Ambassador was that it could be conceivable that the delay in notifying people was one of incompetence given all the problems that Marriott has with basic email.
However, for those of us with Ambasadors it would have been trivial to get your Ambassadors to manually email each of us and be ready for personal responses. It is a matter of indifference that this has not yet been done.
However, for those of us with Ambasadors it would have been trivial to get your Ambassadors to manually email each of us and be ready for personal responses. It is a matter of indifference that this has not yet been done.
You're no more special than the guy with who signed up for one stay during the infraction period
Last edited by yosithezet; Dec 5, 2018 at 2:37 am Reason: Removed Rule 12.2 violation
Dec 2, 2018, 7:04 am
#270
Join Date: Feb 2008
Location: In the air
Programs: Hyatt Globalist, Bonvoy LT Plat, Hilton Gold, GHA Tit, BA Gold, Turkish Elite
Posts: 8,717
Clearly nobody has received any notification yet, and while there may have been (inexcusable, but unsurmountable) problems in emailing everyone, it definitely would have been possible to have had Ambassadors reach out to their guests based on their knowledge of stay patterns and contact details.
Last edited by yosithezet; Dec 5, 2018 at 2:38 am Reason: Removed FT Rule 12.2 violation.