Data Breach at Marriott International Affects 500 Million Starwood Customers

[cageymaru]

Marriott International, a leading hotel and resort chain has released a statement that discloses a data breach associated with 500 million customers that have used its Starwood guest reservation system. On September 10, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott hired leading security experts to assist with the investigation and it was discovered that the hackers had unauthorized access to the system since 2014. The cybercriminals had copied and encrypted the information and were trying to purge it from the system. Marriott's security team was able to decrypt and determine that the data was in fact the Starwood guest reservation database.

Of the 500 million affected Starwood customers, 327 million customers had information accessed that included: "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken." For the rest of the guests only limited information such as name and sometimes other data such as mailing address, email address, or other information was accessed. Marriott has reported the incident to law enforcement and notified regulatory authorities.

"We deeply regret this incident happened," said Arne Sorenson, Marriott's President and Chief Executive Officer. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward." Marriott began sending emails on a rolling basis on November 30, 2018 to affected guests whose email addresses are in the Starwood guest reservation database. Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. Marriott has established a dedicated call center to answer questions you may have about this incident.

 

[Ultima99]

Another day another breach.

At this point hasn't everyone's info been leaked 4 or 5 times over?

 

[cageymaru]

Another day another breach.

At this point hasn't everyone's info been leaked 4 or 5 times over?

No. They haven't collected enough information on humans yet.

 

[purple_monster]

LOL. i read these just for the responses from senior management- "we deepy regret having lessons learned looking for a path forward we have to do better server customersiasnd b bblah blah blah hahahah

 

[Krazy925]

Europe gonna throw the book @ them hopefully.

Elasticsearch comes to mind

 

[Twisted Kidney]

It will become illegal for companies to keep much of the data they're currently keeping some day soon.

Regulation is coming, keep your house in order or someone will sort it for you.

 

[Dead Parrot]

Who would have thought that it would take a hotel chain data breach to make the Equifax breach seem rather tame? Seems like the only data Starwood lacked was DNA samples. Of course, housekeeping could be collecting samples from all room guests.

 

[Nukester]

I just publicly posted my passwords on facebook.. Saves me the trouble.

 

[faugusztin]

Just four letters of nightmare for Marriott right now:

GDPR

If i calculated correctly, they might be hit with ~$1B fine, which is nearly their whole income from last year.

 

[ir0nw0lf]

I just publicly posted my passwords on facebook.. Saves me the trouble.

Mine is 1..2..3..4..5..

 

[TheOne&OnlyZeke]

Wow...this seems much worse then most breaches.
Passport numbers etc.
Peoples patterns will be eeked out of this and could even allow home breakins to occur

Well done Marriott

 

[DocNo]

That makes the below post by the former SVP of Technology Solutions for Starwood even more hilarious. His system had already been breached for 2 years at the time he posted: https://www.hospitalitynet.org/opinion/4078764.html

But: Agile!


BTW: I'm not knocking Agile itself - as a philosophy it was sound. I'm knocking people who profess things like Agile without demonstrating any clear understanding of what things like Agile were meant to do. The problem is thinking of philosophical things is hard so as humans we translate philosophy into rules and pretty soon the original philosophy is forgotten, the rules are perverted and take on a life of their own and you end up in the swamp again. Even stuff like http://asyncmanifesto.org can get perverted if you don't keep your eye on the prize - the outcome - vs. "the rules".

 

[DocNo]

It will become illegal for companies to keep much of the data they're currently keeping some day soon.

Regulation is coming, keep your house in order or someone will sort it for you.

Yeah just what we need - the government to save us. Governments don't have stellar records of keeping data either. And data is useful, so burying your head in the sand or thinking simplistic solutions like "just don't keep the data" aren't realistic.

No, there needs to be A LOT more discipline in computer science and programming. I'm not a pro government type by any stretch (in some ways GDPR is good but in others it's stupidly myopic too), but if you want regulations somewhere, formalizing requirements at least for the final people who sign off on delivered software code along the lines of professional engineering for plans and blueprints for buildings would be a great start. Personal professional liability is the only really way to get this under control; the bigger the company the less they care about fines.

Then again, if you look at crap like this:
Who you gonna sue under GDPR for that?

TLdr: Some guy writes some open source code that becomes popular. Over time he no longer cares much about it, but it's referenced by lots of other projects. Some random dude emails him offering to take over and he says "sure" and turns over the keys to the repository without vetting who this random anonymous dude is. Random anonymous dude promptly inserts bitcoin wallet stealing code into the source of a formerly trusted package and because people download Linux packages blindly on a routine basis (me too - how the heck am I supposed to vet the thousands of packages on even a minimal Linux install?!?), scores of sites are now running malware. Someone notices after a couple of weeks (thank god!) and hilarity ensues.

Along the same lines: https://hackernoon.com/im-harvestin...swords-from-your-site-here-s-how-9a8cb347c5b5

People would never run beta or alpha code in production but most open source software isn't much better when you can have crap happen like this, frankly. It's all a web of trust but it turns out that web is a very, very fragile one. If only people didn't suck.

It's time for computer science to grow up. Way past time.

BTW - if you really want to break out the tin foil hats: http://wiki.c2.com/?TheKenThompsonHack

Except it's all perfectly viable. Talk about inception.

 

[Fix Me]

Mine is 1..2..3..4..5..

That's amazing! I have the same combination on my luggage! :-O

 

[Wolf_Tech]

I worked for the marriotts here and there and this news does not surprise me one bit. There systems still use java old versions which do not run well in newer os's. Also the fact you have to turn off security to make such apps work makes for a big security mess. All day today at work only thing I had to say was. I told you so. No one ever listens to a technician.

 

[jtm55]

Hi All

It just keeps on happening. Unbelievable