Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Dec 4, 2018, 10:37 pm
#346
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
The more this mistake costs Starriott, the less likely they are to make a similar mistake in the future if it can be avoided by being more careful or spending more resources on IT. It really doesn't matter who benefits from the payment of fines, penalties, and other costs. It's the incentives that matter.
An incentive is an incentive and a disincentive is a disincentive most profoundly when the potential outcomes are recognized and appreciated as such in advance of making a relevant decision and acting upon it. But a proverbial slap on the wrist as the default for well-heeled corporations is an incentive of sort, an incentive not to change ways too much.
Last edited by GUWonder; Dec 4, 2018 at 10:57 pm
Dec 4, 2018, 10:55 pm
#347
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Not true anymore. First of all there are less and less people who are that clueless. Especially in industrialized nations. Even children are taught about this in schools now. Secondly the technology companies have rolled out many tools and features to prevent the less technically-minded from shooting themselves in the foot. Example: how is hovering your mouse over a link in an email considered "jumping through additional hoops"?
Even as a larger proportion of people are aware of the dangers of clicking on questionable links, and even as more technology tools exist to try to save people from themselves when it comes to clicking onto questionable links, I have no doubt that there are a huge proportion of “morons” clicking on questionable things and it’s why this is such a frequently used vector of hacking done by state actors and by non-state actors, many of which are aimed at people who are more likely to know better than the average person on say the streets of Dhaka. As more and more “morons” have gotten online, more and more have become at risk in ways that weren’t the case when say only 5% or less of people were using the internet on a daily basis.
The breached Marriott data about government/military rate use in reservations would be rather prime material for some state actors and even some non-state actors in the business of selling stolen data and even state actor hacking tools. Because many such persons will use their personal devices and click on things anyway when it appears to be rather routine.
I have little to zero faith in school education for young kids changing much of anything to avoid device/data breaches — young children tend to be at least as impulsive as ever in some ways and more in other ways. The declining value they place in privacy doesn’t inspire confidence about what their education on online use means for avoiding data/device breaches. But hopefully I’ll be wrong about this.
Dec 4, 2018, 11:48 pm
#348
Join Date: Aug 2008
Location: Somewhere in Florida
Posts: 2,616
And just how would they do that? This is the same Marriott which still can't provide a working, stable website in 2018, can't run a promotion (29 Ways to Fail), can't properly credit stays, and still believes FAX is a thing. Even if they were to issue 10,000 points to everyone, what are the chances that it'd actually end up in our accounts? Still waiting for the 29 Ways points...
Dec 4, 2018, 11:55 pm
#349
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
There are a lot of "morons" in my office. One (a millennial) got taken for $6k this year ($3k x2) by blindly trusting every e-mail that came in her inbox. She also insisted on installing a version of MS Office we don't officially support. I don't think there's a single link in an e-mail she hasn't clicked or an attachment she hasn't opened. We ended up putting some serious pressure on her bank to get her money back and after ~2 months, she was made whole. I think (hope?) she's learned her lesson.
Dec 5, 2018, 12:13 am
#350
Join Date: Aug 2008
Location: Somewhere in Florida
Posts: 2,616
@stimpy: I 100% agree with you. In a previous life, many, many, many moons ago (and well past the Statute of Limitations), I was well into hacking & social engineering.
She would be the ideal type of target. She thinks she's far smarter than she is, and worse, she doesn't know what she doesn't know.
She would be the ideal type of target. She thinks she's far smarter than she is, and worse, she doesn't know what she doesn't know.
Dec 5, 2018, 1:58 am
#351
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Often yes, but there's definitely something about the use of technical means that enable hacking and conning in a way that was more difficult and took way more time and effort before than it does now. And while the younger folks may tend to be way more distrusting of institutions than some older generations, they seem no less susceptible to being subjected to online exploitation than those a generation or two older; and offline exploitation avoidance is probably no better now than a decade or two ago.
And this kind of data leak-- as with this Marriott data breach in particular -- has the potential to enable conning people (including even Marriott's own employees under some circumstances) more easily, both by non-technical means and by technical means.
I'm sure of one thing: the most powerful state actors find technical tools to have become increasingly more efficient tools to access and exploit larger number of targets than non-technical tools. It's probably not all that different for criminals of sorts, which is why the most lucrative criminal conning of people seems to have gone online in such a big way. Even organized crime has shifted in part with online strategies and tactics to more efficiently make criminal gains -- which explains in some part more technical hacking efforts.
And this kind of data leak-- as with this Marriott data breach in particular -- has the potential to enable conning people (including even Marriott's own employees under some circumstances) more easily, both by non-technical means and by technical means.
I'm sure of one thing: the most powerful state actors find technical tools to have become increasingly more efficient tools to access and exploit larger number of targets than non-technical tools. It's probably not all that different for criminals of sorts, which is why the most lucrative criminal conning of people seems to have gone online in such a big way. Even organized crime has shifted in part with online strategies and tactics to more efficiently make criminal gains -- which explains in some part more technical hacking efforts.
Dec 5, 2018, 2:42 am
#352
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
I'm sure of one thing: the most powerful state actors find technical tools to have become increasingly more efficient tools to access and exploit larger number of targets than non-technical tools. It's probably not all that different for criminals of sorts, which is why the most lucrative criminal conning of people seems to have gone online in such a big way. Even organized crime has shifted in part with online strategies and tactics to more efficiently make criminal gains -- which explains in some part more technical hacking efforts.
I always like the old saying, You Can't Cheat an Honest Man.
Dec 5, 2018, 3:16 am
#353
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Sure, but an honest man may be cheated until and unless the honest man has nothing of which to be cheated. Surely we aren't saying that Marriott customers hit by Marriott data breaches aren't all honest and thus all the Marriott customers deserve what they get until and unless they have no more to give?
Dec 5, 2018, 3:39 am
#354
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
Sure, but an honest man may be cheated until and unless the honest man has nothing of which to be cheated. Surely we aren't saying that Marriott customers hit by Marriott data breaches aren't all honest and thus all the Marriott customers deserve what they get until and unless they have no more to give?
But the other angle is in the United States where a criminal could successfully open a line of credit in the name of one of Marriott's customers. That's back on Marriott. And of course the laws of the USA and the 50 states that effectively allow a criminal to steal someones identity and get credit in that name.
Dec 5, 2018, 3:49 am
#355
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
No. None of the Marriott customers have lost anything yet (as far as has been publicly divulged). The day that someone falls for a phishing scam that utilizes the data stolen from Marriott/Starwood, is the day you can ask that person why did you fall for it? What did you think you would gain by clicking on the link or speaking to a phony rep. That's the point of the "can't cheat an honest man" argument. And Marriott should not be blamed for that. Marriott/Starwood are clearly at fault for not adequately protecting customer data. But if some sucker gets fooled into a scam that utilizes that data, it's the fault of the individual who gets scammed.
But the other angle is in the United States where a criminal could successfully open a line of credit in the name of one of Marriott's customers. That's back on Marriott. And of course the laws of the USA and the 50 states that effectively allow a criminal to steal someones identity and get credit in that name.
But the other angle is in the United States where a criminal could successfully open a line of credit in the name of one of Marriott's customers. That's back on Marriott. And of course the laws of the USA and the 50 states that effectively allow a criminal to steal someones identity and get credit in that name.
Criminals getting identity and credit in the name of others isn't all that difficult to do outside the US either. It's very easy to pull off in at various parts of Europe, including in parts of the Schengen area that are seen as being more of a nanny-state than most of the rest of the EU.
Dec 5, 2018, 3:57 am
#356
FlyerTalk Evangelist
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 34,339
The first paragraph above includes things that seem a lot like victim-blaming. Blaming victims of crime for being a victim of criminals seems to just add insult to injury. Better to blame the criminals and then those who provided the tool(s) that the tool-supplier knew could be used by the criminals and would be once accessed by such.
Dec 5, 2018, 4:22 am
#357
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Says the person blaming Marriott, at least in part, for the data breach hits. Marriott, and Starwood before it, are indeed getting blamed in part for this incident, but there are reasons that Marriott/Starwood are held to a different standard than an adult kid living in their momma's basement because the adult kid got fleeced at an online casino.
Dec 5, 2018, 4:30 am
#358
Moderator, El Al and Marriott Bonvoy, FlyerTalk Evangelist
Join Date: Feb 2005
Location: SIN
Programs: SQ*G, Mar LTT, Hyatt Glb, AA LTG, LY, HH, IC, BA, DL, UA SLV
Posts: 12,018
Moderator Note
Folks,
Please keep this thread on the relevant issues of the breach, how to address it, how Marriott is addressing it, etc. This isn't a thread for general security topics which can be addressed elsewhere in FlyerTalk.
Thanks,
yosithezet
Co-Moderator, MSR Forum
Please keep this thread on the relevant issues of the breach, how to address it, how Marriott is addressing it, etc. This isn't a thread for general security topics which can be addressed elsewhere in FlyerTalk.
Thanks,
yosithezet
Co-Moderator, MSR Forum
Dec 5, 2018, 5:02 am
#359
Join Date: Nov 2014
Location: lounge next door
Programs: *A Gold / ST Elite+ / OWS / EK G / HH Diam. / MR Tit / Hyatt GLOB / IHG Diam. / SL Jade / GHA Tit.
Posts: 1,523
When I got one I will share here for us to be able to fill claims.
Dec 5, 2018, 5:23 am
#360
Suspended
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 102,095
Even the way the data breach is being referred to by Marriott and Kroll smacks of PR spin driving the show more than just an interest in legal/regulatory compliance and supporting customers with customer privacy problems arising from the Marriott data breach/breaches indicated in Marriott's and Kroll's announcements on the matter.
Maybe you should try to contact Kroll's public face for its North American "data breach notification practice" and ask him for his EU-area equivalent.
https://www.kroll.com/en-us/how-we-h...-data-breaches
Last edited by GUWonder; Dec 5, 2018 at 5:31 am