Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Dec 3, 2018, 8:10 am
#301
Join Date: Sep 2005
Programs: AC MM E50 , Former SPG, now Marriott LT Plat
Posts: 6,261
Dec 3, 2018, 8:19 am
#302
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
The race is on in the US. Can Europe be far behind?
https://www.zdnet.com/article/marrio...g-data-breach/
https://www.zdnet.com/article/marrio...g-data-breach/
Dec 3, 2018, 9:01 am
#304
FlyerTalk Evangelist
Join Date: Apr 2008
Location: LGA/JFK/EWR
Programs: UA 1K1.75MM, Hyatt Globalist, abandoned Marriott LTT (RIP SPG), Hertz PC
Posts: 21,167
Dec 3, 2018, 9:28 am
#305
Join Date: Aug 2011
Location: MIA, VIE and DPS
Programs: DL Plat 1MM, AA EXP 3MM, SQ Krisflyer Gold, UA Silver, Marriott LTT, HH Gold
Posts: 1,132
Has anyone seen anything if the passport numbers are only for the primary name on the reservation or of everyone who checked in?
Dec 3, 2018, 9:50 am
#306
Join Date: Jun 2008
Location: BDU
Programs: DL:MM, Marriott:LTT
Posts: 8,779
We did not originally add the passport numbers but shortly after making the reservation received an email from the hotel manager indicating those numbers needed to be added or the reservation would be canceled, and if the passports presented at check-in had different numbers there would be an issue.
Last edited by yosithezet; Dec 5, 2018 at 3:08 am Reason: Merged and removed redacted content.
Dec 3, 2018, 10:20 am
#307
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,399
While what was specifically included in the breach is still unknown, I can tell you when my sister and her family of four made their reservation for the Prague Sheraton six months or so ago the Website did ask for the names and SS#s for all four guests. It was part of the record and something the Website was set up to capture.
Surely it violates USA federal law for a private entity to demand social security numbers for a purpose (or no purpose at all) not related to clearly permitted uses (such as employment).
When I stayed at the Sheraton on Charles Square in Prague, no one asked for my social security number, and I certainly would not have given it to them.
BTW, if you make up a number in the correct format, how would they know the difference? When someone insists, I sometimes give my phone number as (800) 555-1212 or (local area code) 555-1212 (the number for directory listings).
When I stayed at the Sheraton on Charles Square in Prague, no one asked for my social security number, and I certainly would not have given it to them.
BTW, if you make up a number in the correct format, how would they know the difference? When someone insists, I sometimes give my phone number as (800) 555-1212 or (local area code) 555-1212 (the number for directory listings).
Dec 3, 2018, 10:24 am
#308
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,399
Dec 3, 2018, 10:26 am
#309
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
We did not originally add the passport numbers but shortly after making the reservation received an email from the hotel manager indicating those numbers needed to be added or the reservation would be canceled, and if the passports presented at check-in had different numbers there would be an issue.
I also noted that my MR account doesn't contain my full birthday ... only month/day.
Last edited by yosithezet; Dec 5, 2018 at 3:10 am Reason: Removed redacted content
Dec 3, 2018, 10:28 am
#310
Join Date: Aug 2018
Posts: 902
We did not originally add the passport numbers but shortly after making the reservation received an email from the hotel manager indicating those numbers needed to be added or the reservation would be canceled, and if the passports presented at check-in had different numbers there would be an issue.
Last edited by yosithezet; Dec 5, 2018 at 3:10 am
Dec 3, 2018, 10:35 am
#311
Join Date: Jun 2008
Location: BDU
Programs: DL:MM, Marriott:LTT
Posts: 8,779
Ironically we got off the phone an hour or so ago making her travel arrangements for Christmas because she was dragging her feet on those.
Dec 3, 2018, 12:05 pm
#312
Company Representative - Starwood
Join Date: Aug 2011
Programs: SPG
Posts: 713
That they haven't even sent out an impersonal notification of the potential for our information to have leaked when they've had more than enough time to spin up a reputation management firm and get a press release in the hands of the New York Times, and get FlyerTalk to publish a complete load of tripe on the front page while they're at it, is the problem.
Legally, they must notify customers of the breach. They've acknowledged that they know what info the breach contains but they may not necessarily know if yours is in it. That's fine, simple answer is an email: "We have been able to establish that the data removed contains Full Name, Address, Phone Number, Email, Stay Details, Loyalty Program details including SPG Number and level in the program, and in cases where the hotel has a requirement to store Passport details these may have been included. At this stage, we are unable to say whether your details have been included. We recommend you keep an eye out for any signs our information has been removed and misused, and contact us using the details on the dedicated page setup at blahblahblah. Rest assured we are continuing to investigate as the highest priority, and we will notify you immediately if we can determine that your information was included in the breach with next steps".
Seriously, not hard. Tell people what happened, invite them to contact the dedicated team with any concerns, and advise that you'll be informed ASAP if they determine your details are definitely hacked.
Legally, they must notify customers of the breach. They've acknowledged that they know what info the breach contains but they may not necessarily know if yours is in it. That's fine, simple answer is an email: "We have been able to establish that the data removed contains Full Name, Address, Phone Number, Email, Stay Details, Loyalty Program details including SPG Number and level in the program, and in cases where the hotel has a requirement to store Passport details these may have been included. At this stage, we are unable to say whether your details have been included. We recommend you keep an eye out for any signs our information has been removed and misused, and contact us using the details on the dedicated page setup at blahblahblah. Rest assured we are continuing to investigate as the highest priority, and we will notify you immediately if we can determine that your information was included in the breach with next steps".
Seriously, not hard. Tell people what happened, invite them to contact the dedicated team with any concerns, and advise that you'll be informed ASAP if they determine your details are definitely hacked.
Dec 3, 2018, 12:14 pm
#314
Join Date: Mar 2008
Location: London (~75% of the year).
Programs: AA PPro
Posts: 474
Alas a fair few websites are poorly coded and can't cope with a + in the userpart (bit before the @) in email addresses even though it's totally valid. Worse are sites that can cope with it in some places (like sign up) but not others (like unsubscribing from their mailing list).
Dec 3, 2018, 12:34 pm
#315
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
While what was specifically included in the breach is still unknown, I can tell you when my sister and her family of four made their reservation for the Prague Sheraton six months or so ago the Website did ask for the names and SS#s passport #s for all four guests. It was part of the record and something the Website was set up to capture.