Marriott Discloses Missing Data Files 162
An anonymous reader writes "Marriott International has admitted that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company." From the Washington Post story: "Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost. An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes."
Great. (Score:4, Informative)
Re:why do they have SSNs for customers? (Score:5, Informative)
Re:why do they have SSNs for customers? (Score:3, Informative)
Re:Identify theft a fad? (Score:1, Informative)
Re:why do they have SSNs for customers? (Score:3, Informative)
In most cases, when you take out a loan with somebody, your data is likely being shared with everybody they do business with related to the servicing of the loan... especially if you're a "high risk" customer (e.g., low credit score).
Re:why do they have SSNs for customers? (Score:2, Informative)
That's nothing... (Score:5, Informative)
I work the front desk at a competing 4-star hotel chain. I work the night shift ($10/hr to sit there babysitting the desk and reading/fiddling on my laptop, great job for students
So many people touch the tapes, front desk staff/accounting/reservations/IT, that if one went missing it would be impossible to track back to an individual. What's more, if I just picked up my own tape and made a dupe at night in 35 minutes while I'm there alone nobody would ever know.
This is a 400 room hotel in a major U.S. city, access to literally tens of thousands of names, addresses and associating credit card numbers, all for filling out a standard job application that I may or may not have filled out accurately. Unbelievable.
Re:Secret Service? (Score:3, Informative)
"The Secret Service also investigates violations of laws relating to counterfeiting of obligations and securities of the United States; financial crimes that include, but are not limited to, access device fraud, financial institution fraud, identity theft, computer fraud; and computer-based attacks on our nation's financial, banking, and telecommunications infrastructure."
Re:Hats off to Marriott (Score:5, Informative)
ABN Amro lost a tape with my data on it. The news was out that week. DHL found it, and even though the news agencies didn't cover it much, I got a follow-up letter from ABN Amro AND they extended the free credit tracking service from 3 months to 1 year.
Marriott on the other hand waited over a month before they even notified the Secret Service, for crying out loud.
No kudos to Marriott for this one. They're lucky that their month-long cover-up isn't criminal (yet).
Re:Great. (Score:5, Informative)
I'm glad the Department of Homeland Security has had their budget cut to $16 million.
That's misleading. Their RESEARCH budget for CYBERSECURITY is cut to $16 million, and that's only down 7% from last year, which means under $2 million in cuts.
You can argue it should be higher if you wish, but don't make it sound like the entire DHS--or even cybercrime enforcement in general--is funded that sparsely.
Re:why do they have SSNs for customers? (Score:3, Informative)
As far as loans, they keep the numbers because if a person defaults on the loan that's the only data they have that's unique to the person who defaulted. For example, if the debt gets sold cheaply to a debt collection agency, the collection agency needs that number to track the person if the person moves somewhere else. "John Jones of 123 Main St. Anytown, USA" isn't very useful if John Jones moves to another state.
Re:why do they have SSNs for customers? (Score:3, Informative)
They probably don't. As the article says, the backup tapes contained credit card numbers and SSNs of workers, time share owners and customers. That reasonably means that they've lost the credit card numbers of time share owners and customers and the SSNs of time share owners and employees.
So they've lost this data, but it seems to me that they're being reactive in a positive way - they've notified the right people in government, they've contacted financial institutions and they've notified their customers, along with issuing a public statement about it.
The article claims that the data requires "special equipment" to retrieve the data - some comfort, I guess, unless that special equipment isn't just a DAT drive and a backup program.
I wouldn't call their measures "proactive", as did the Marriott spokesperson, but the company seems to be reasonably open about it.
-h-
Re:why do they have SSNs for customers? (Score:5, Informative)
As far as keeping your credit card number, they could be requiring it to cover maintenance fees or it's possible customers are automatically having their loan payments charged to their credit card. I do that with a couple of my monthly expenses so I don't have to write a check. (having both electronic withdrawals and automatic billing to credit cards, I prefer the latter)
While I suppose you can get around these by buying the timeshare outright, and prepaying maintenance fees, most customers do not want to do that.
Possible salvation is obscure database (Score:1, Informative)
I'm about 95% sure that this group of Marriott is running the D3 database (formerly known as The Pick System, O/S, etc.) It's been a few years since I have spoken with them, but they used to be my client.
D3 in and of itself would provide some level of obscurity, as the "Pick" data format is unique, with embedded metacharacters to delimit it's "Multi-value" item (record) structure, plus, a unique storage method for tape archives.
The possible bad news is that Pick data structures are all ASCII, including it's tape backups, unless Marriott had saved these as "binary backups", which would then only be useful for restoration on the exact same machine configuration from which it was saved. So it's likely these are in what is known as "file-save" tapes.
And there is no intrinsic encryption available in D3, so that is off the table.
So, someone with malicious intent who got their hands on these would have to either know D3 or be able to read blocks off the tapes and try to noodle out how to extract the data to make any use of it.
Or, they could just cheap version of D3 and restore the tapes, then have a data orgy with D3's terrific inherent natural language reporting.
Re:I don't know... (Score:3, Informative)
If you encrypt a database backup and there is an error on the tape, the backup could easily be useless.
Only under certain modes of block cyphers. If you use an electronic code book mode of a block cipher you only lose the block with the error on it. It's not as secure of course, but it's a lot better than nothing.
Re:This kind of thing keeps happening... (Score:2, Informative)
Huh? Where in the world did you come-up with that?
That would only be true if your encryption uses CBC (Cipher Block Chaining) mode. That's where you XOR each block with the ciphertext of the previous block. An error in one block affects that block and every subsequent block like you describe.
When you use ECB (Electronic Code Book), the regular DES algorithm, you encrypt each 64-bit block independently. Errors only affect the data in the block containing the error. This is the faster and easier to implement than CBC mode so it's what a lot of products use.
I've seen a couple of companies play around with using encryption on their backups, but they stopped for the same reason I've seen more intentionally not use it. You don't want to pull-out a tape from a library and not be able to read it. Do you really want to keep-up with a list of passwords for a decade or more? Would you want to be the IT director someone that has to tell a CEO that the $250k you've spent on backup tapes and storage costs was for naught since you can't read the tape? I saw a CTO fired for exactly that.
Of course since I'm responding to a register user, I'll be marked as a troll or flamebait so this response will never be read. I don't know why I bother posting on this cesspool. Posts like the one I'm replying to that are just plain wrong are given points, but the best posts are given -1's if they're from people that aren't logged-in.
Re:why do they have SSNs for customers? (Score:2, Informative)
Maybe in your world it's okay for SSN's to be routinely dancing around in credit agency computers to prevent 'simple name collisions' but not in mine.
They're in big trouble if the only 'tag' they have to distinguish between customers is the SSN. There aren't that many cases where people with a common street address have the same exact name. They can use Zipcode+4 if they really have that shaky a system that they need a distingushing number to use.
Re:why do they have SSNs for customers? (Score:3, Informative)
Re:That's nothing... (Score:3, Informative)
This is why apparently lame legislative and regulatory setups can be a good thing. Certs such as ISO17799, Sarbanes-Oxley, HIPAA, NIST etc etc actually connect how well a company does with how secure it is. Much of security that would seem like common-sense no-brainers to most of us are actually not worth the org's time and money. (Of course then you get into risk management topics, and quantifying risks, which is very hard to do. How likely is it that your 150 staff, who all use Internet Explorer, will get infected with a drive-by trojan? If they use Firefox? What about Firefox on OS/X? Now, how do you back up your intuitive answers with emperical evidence from the real world?
Fancy a career in infosec? It's a lot more fun than it sounds, actually ;)