Nov 30, 2018, 5:05 am
Last edit by: MasterGeek
From Starwood Lurker team :
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take.
Marriott has announced a massive breach of data belonging to 500 million guests who stayed at hotel brands including W, Sheraton, and Westin.
Marriott announced on Friday that it had "taken measures to investigate and address a data security incident" that stemmed from its Starwood guest authorization database.
The company said it believes that around 500 million people's information was accessed, including an unspecified number who had their credit card details taken. It affects customers who made bookings on or before September 10, 2018.
http://uk.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11?r=US&IR=T
https://www.prnewswire.com/news-releases/marriott-announces-starwood-guest-reservation-database-security-incident-300758155.html
You can enroll in the "identity" monitoring service provided by Marriott due to this breach here, it cannot be called "credit monitoring" because it doesn't provide access to viewing credit bureau report data (as held by Equifax, TransUnion, Experian) nor notifications when credit report data changes :
https://answers.kroll.com/us/index.html
Starwood/Marriott Data Breach 500 Million Guests affected, Marriott fined £18.4m
Dec 5, 2018, 9:41 am
#361
Join Date: Apr 2001
Posts: 592
The breach is bad. But it is not the truly inexcusable part.
What really makes me angry is how Marriott is responding and treating customers. While the breach is something that happened to Marriott/Starwood, how the company treats customers in the aftermath is purely a choice. Here are examples:
1) Telephone representatives have no information on whether a given customer's data was involved and what specific data was involved (e.g., which of my credit card numbers do I need to change?). This is true of both the Marriott call center and the Kroll contract call center.
2) When you call Kroll, they simply read the text on the website to you. They are completely unable to help.
3) The monitoring service is only for one year. Each of us will have my current passport number for up to 10 years (depending on renewal date). That is a serious mismatch.
We can argue about whether Starwood/Marriott did enough to protect us, but there was another (criminal) party involved. The response is purely up to Marriott. No one is forcing them to treat us this way.
What really makes me angry is how Marriott is responding and treating customers. While the breach is something that happened to Marriott/Starwood, how the company treats customers in the aftermath is purely a choice. Here are examples:
1) Telephone representatives have no information on whether a given customer's data was involved and what specific data was involved (e.g., which of my credit card numbers do I need to change?). This is true of both the Marriott call center and the Kroll contract call center.
2) When you call Kroll, they simply read the text on the website to you. They are completely unable to help.
3) The monitoring service is only for one year. Each of us will have my current passport number for up to 10 years (depending on renewal date). That is a serious mismatch.
We can argue about whether Starwood/Marriott did enough to protect us, but there was another (criminal) party involved. The response is purely up to Marriott. No one is forcing them to treat us this way.
Dec 5, 2018, 9:49 am
#362
Join Date: Nov 2017
Posts: 3,359
<Rant> What I can't understand about these data breaches is why the companies responsible don't provide lifetime credit monitoring services to the people affected. Do they honestly believe that there's a one year grace period where criminals harvest and use the ill-gotten identity data? An argument could be made that the information stolen could impact someone at any point in their lifetime and so having such a service has gone from optional to vital. Is that too much to ask for?
AFAIC Equifax owes all US citizens complimentary access to their credit monitoring service for life. It surprises me that there hasn't been a class action lawsuit against the company to force their hand on this. Would it eat away at their revenue streams? Sure! But having your personal data leaked eats away at your quality of life! </Rant>
Safe Travels,
James
AFAIC Equifax owes all US citizens complimentary access to their credit monitoring service for life. It surprises me that there hasn't been a class action lawsuit against the company to force their hand on this. Would it eat away at their revenue streams? Sure! But having your personal data leaked eats away at your quality of life! </Rant>
Safe Travels,
James
Dec 5, 2018, 10:44 am
#363
Join Date: Oct 2013
Location: ORD
Programs: UA Silver, Marriott Platinum/LT Platinum, Hilton Gold
Posts: 5,594
<Rant> What I can't understand about these data breaches is why the companies responsible don't provide lifetime credit monitoring services to the people affected. Do they honestly believe that there's a one year grace period where criminals harvest and use the ill-gotten identity data?
There's really no good answer for consumers in a data breach. The only real answer is don't give companies your data in the first place, which makes life increasingly difficult in today's digital world.
Dec 5, 2018, 11:13 am
#364
Moderator, Marriott Bonvoy & FlyerTalk Evangelist
Join Date: Oct 2002
Location: McKinney, TX, USA
Programs: United Silver; AA Plat/2MM; Marriott LT Titanium; Hilton Gold
Posts: 11,727
Dec 5, 2018, 11:29 am
#365
Join Date: Feb 2018
Programs: Bonvoy :Ambassador , ALL :Diamond, Skywards :Silver, Krisflyer :Silver
Posts: 2,802
Would be interesting to know what Marriott will do to :
1. Marriott loyalty members
2. Non members
that lives outside area that covered by webwatcher
Dec 5, 2018, 12:29 pm
#366
Join Date: Jun 2011
Location: DCA
Programs: AA EXP; BoNVoY Tit LTP
Posts: 1,921
This is kind of difficult to interpret accurately but Marriott may be buying us all new passports: https://www.washingtonpost.com/busin...=.b0102c317084
"In the wake of a colossal data breach that compromised sensitive personal information, including some passport numbers, of hundreds of millions of guests, Marriott International has agreed to pay for passport replacements if the company finds that customers have been victims of fraud."
"In the wake of a colossal data breach that compromised sensitive personal information, including some passport numbers, of hundreds of millions of guests, Marriott International has agreed to pay for passport replacements if the company finds that customers have been victims of fraud."
Dec 5, 2018, 12:45 pm
#367
FlyerTalk Evangelist
Join Date: Jun 2006
Location: IAD/DCA
Posts: 31,797
passports is interesting angle - how many breached then how many victimized
otherwise why would marriott offer compensation when no one else ever has ?
'free' 'monitoring' is 'scam' by the suppliers of it
multi factor using mobile phone has CAUSED compromised bank accounts, due to compromised mobile phone
otherwise why would marriott offer compensation when no one else ever has ?
'free' 'monitoring' is 'scam' by the suppliers of it
multi factor using mobile phone has CAUSED compromised bank accounts, due to compromised mobile phone
Dec 5, 2018, 2:18 pm
#368
Join Date: Jun 2008
Location: BDU
Programs: DL:MM, Marriott:LTT
Posts: 8,779
This is kind of difficult to interpret accurately but Marriott may be buying us all new passports: https://www.washingtonpost.com/busin...=.b0102c317084
"In the wake of a colossal data breach that compromised sensitive personal information, including some passport numbers, of hundreds of millions of guests, Marriott International has agreed to pay for passport replacements if the company finds that customers have been victims of fraud."
"In the wake of a colossal data breach that compromised sensitive personal information, including some passport numbers, of hundreds of millions of guests, Marriott International has agreed to pay for passport replacements if the company finds that customers have been victims of fraud."
B) My new passport disappeared last year between the postal vehicle when it was down the street and my mailbox. Replacing it turned into a hassle until I reached out to my Senator. My Senator's office replaced it in one day at no charge and arranged a refund of what was originally paid for the lost passport. In other words, if you find there was fraud resulting in your needing a new passport quickly, you can go through your Congressperson's or Senator's office and it won't cost anything. Your Rep or Senator has staff that does this kind of thing every day.
Dec 5, 2018, 2:36 pm
#369
Join Date: Nov 2015
Location: BNE
Programs: NZ*G, QF Bronze, VA Red
Posts: 563
Actually, this is a great time for them to attack using that data. You are sitting at your computer waiting for some communications from Marriott on what to do. All they need to do is use some of that info to send you that email before Marriott does (maybe with a slightly different weblink using marriot instead of marriott or something like that.)
Dec 5, 2018, 2:49 pm
#370
Join Date: Jan 2008
Location: Plum Nelly
Programs: Marriott Bonvoy, Delta Sky Miles, and S&H Green Stamps
Posts: 636
And like the past four years, there seems to be no evidence of (a) credit card fraud against AMEX or Chase which would be much more easily detected as a pattern than in breaches involving Target/Home Depot, (b) no one with dark web monitoring reporting that their information is up for sale, and (c) no reports of points being stolen. Not sure I've seen anyone pop up and say they've been actually been impacted sometime over the past four years.
Dec 5, 2018, 3:53 pm
#371
Join Date: Nov 2015
Location: BNE
Programs: NZ*G, QF Bronze, VA Red
Posts: 563
Despite claims that data exfiltrated dates back to 2014, Marriott has not yet confirmed whether data dating back to 2014 was removed recently, or whether data has been removed constantly dating back to 2014. If it's the former, then obviously there would be no reports of fraud over the past four years. If it's the latter, then there are still lots of valid reasons why there have not been reports of fraud.
Dec 5, 2018, 4:05 pm
#373
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
However, I think these facts strongly suggest (pick your words) the theft was by a state actor rather than a private criminal. If it was an economic crime, certainly Amex or Chase would have noticed that there was a pattern of fraud in their MR/SPG cards that was different than their United/Delta cards. If it was an attempt to steal SPG points, certainly there would have been a bunch of people on here who noticed the coordinated theft before it was reported anywhere else. If it was to get the random passport number (most reservations won't have that -- only certain countries require that info), we'd see some reports of that.
On the other hand, if it was a sophisticated state actor that decided to collect a lot of data of who was where and when they were there for the purpose of adding to their intelligence database, we wouldn't see any of those things.
And Marriott wouldn't dare suggest anything about the state actor for fear they would face restrictions on doing business in that country. Of course, all the indicia of a state actor are pretty obvious and there is no indicia of private criminal activity.
Last edited by yosithezet; Dec 5, 2018 at 8:31 pm Reason: Removed personal comment in line with FT Rule 12.2
Dec 5, 2018, 4:14 pm
#375
Join Date: Apr 2003
Location: SLC/HEL/Anywhere with a Beach
Programs: Marriott Ambassador; AA EXP 3MM; AS MVP, Hilton Gold, CH-47/UH-60/C-23/C-130 VET
Posts: 5,234
