Marriott Discloses Missing Data Files

An anonymous reader writes "Marriott International has admitted that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company." From the Washington Post story: "Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost. An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes."

I know it is busy during the holidays, but...

[Anonymous Coward]

Mid November? I think some people would have wanted to know sooner. Why are we just now finding out about this?

Re:Great.

[dc29A]

Why is the job of Homeland Security to secure the data storage of a random company? Start putting out heavy fines on companies who fail to securely store customer data and the problem will go away. Right now there is no "incentive" for companies to keep personal data stored safely. A little PR can take care of a hack.

Companies need to be held liable for the safety and security of their customer's data. The problem then will go away.

Re:Great.

[User 956]

Companies need to be held liable for the safety and security of their customer's data. The problem then will go away.

I'm hearing you. I think the way the SSN system works with the financial system is horribly inefficient, insecure, and pront to abuse. But you need to cover both ends. Security on the front end, and proper policing on the back end. Cutting the DHS budget certainly isn't going to help-- especially when hundreds of millions are allocated for projects like the bridge to nowhere. [usatoday.com]

This kind of thing keeps happening...

[dlaur]

Let me ask a simple question: Why don't they encrypt this stuff?

Re:Great.

[dangitman]

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million. That should stop those crooks!

Given the lack of competence of DHS, eliminating their funding can only be a good thing. They only seem to make things worse, and haven't really shown any evidence of being effective at doing anything other that waste money and erode civil liberties.

Hats off to Marriott

[TheFlyingGoat]

Many companies out there wouldn't even know if their tapes had been misplaced or lost. At 3 companies I've worked for, we've had tapes lying around in managers' offices and server rooms, many that contain information that could be used for identity theft.

Marriott has handled this correctly and deserves some credit for doing so. At least they're not trying to cover it up like some companies would.

fraud monitoring

[spoonyfork]

I'm glad to read Marriot is offering credit fraud monitoring to the affected people like how Ford offered to its employees when they recently lost 70,000 employee/retiree SSNs. [freep.com] Unless it is lifetime monitoring I fail to see the long term value.

Wait a second, why don't the credit bureaus offer free lifetime credit fraud monitoring to everyone in the first place?

Re:why do they have SSNs for customers?

[Anonymous Coward]

Exactly! Why do they keep this shit? And how come they are never held accountable when they do?

It seems to go like this: "Oops we just lost all your personal information (or had it stolen). Sorry." And that's the end for them. And that's the possible beginning of a nightmare for you.

I mean what the fuck? Where is the accountability? If they store that information, they should be held accountable for doing so.

Marriott should, at the least, be fined a LARGE amount ($$ millions) or have some sort of charges brought against them. That goes for anyone else holding my information and disclosing it.

Where the fuck is the outrage at this practice?

Re:Great.

[gasjews]

Can we say inefficient and bloated government administration?

I always vote down school tax proposals becuase our local school system has yet to manage to improve the quality of education or teaching while managing to find all sorts of things to spend money on like new toys for the administration to play with, overpriced school complexes (65 million dollars for a school that reasonably holds 3000 at best?), marketing campaigns, etc.

DHS doesn't need more money. They need to be smart. Unfortunately, bureaucracies are just an extension of modern democracy and modern democracies are largely incapable of meaningful consensus or leadership.

I am REALLY starting to think

[ScrewMaster]

that if these large corporations can't be trusted to play with their computers safely, maybe they should have them taken away. At the very least, I think some adult supervision should be required by law. And if that doesn't work, send them back to using typewriters and filing cabinets.

Some private data loss statistics

[michaelaiello]

Lists of incidents

• http://www.privacyatchoicepoint.com/common/pdfs/Da tadisclosures2005.pdf [privacyatchoicepoint.com]
• http://www.privacyrights.org/ar/ChronDataBreaches. htm [privacyrights.org]

A report (with pretty graphs) from a recent financial engineering class. Data was from Feb to Sep 2005...
The 83 recorded loss events were categorized by loss event type and by industry sector. The data is relevant over 232 days. This yields a probability of a loss event occurring in any sector on any given day 35.7%. If only events affecting financial services institutions are counted, the probability is 7.5%.

http://privacydata.michaelaiello.com/paper.pdf [michaelaiello.com]

Bring forth the math corrections

I don't know...

[Chabil Ha']

and maybe I'm just ignorant, but WHY DON'T THEY ENCRYPT ALL THAT INFORMATION WHEN IT LEAVES THE MAIN DATA WAREHOUSE? It seems to me that by encrypting its contents, you put some security around it should it be lost/stolen/etc. Can anyone explain why this isn't done?

Re:why do they have SSNs for customers?

[toddbu]

Can anyone tell me why Marriot has the SSNs of Customers?

I think that you're asking the wrong question here. Shouldn't you be asking "why does it matter if they keep your SSN?" Our whole system of using SSNs to identify people is broken, and if Congress would get off their lazy duffs and fix the problem then maybe it wouldn't matter if someone had my SSN number or not. A simple change to credit reporting laws that would require a second level of verification of the identity of a consumer before granting credit, like what happens when you put a fraud alert on your credit report, would go a long way toward fixing this problem. But those who issue credit are afraid that if you got rid of easy credit then their market would collapse. I'll agree that some people would be inconvenienced by such a system (like those who move around a lot), but it sure would reduce fraud. At the very least, I should have the option of making a fraud alert permanent, and to have complete control over who can view my credit history. Then maybe it wouldn't make such a difference if someone got my personal information.

Re:This kind of thing keeps happening...

[HermanAB]

No, only the *reporting* of leaks will stop instantly...

Re:Great.

[Ravatar]

That won't necessarily eliminate carelessness on the companies' part. If the fine is less than the cost to properly secure the data, nothing will change.

The only group that benefits in this case is the government.

Re:why do they have SSNs for customers?

[slick_rick]

Why stop there? Why does any entity need to hold on to my SSN? Why not just make it illegal to do so? I work with large databases every day (100k+ "souls") and it is insane to me that we keep the SSN for all these people. What a security nightmare/identity thief's dream. I've argued with my boss several times that we should dump the SSN and just keep a few hashes instead (md5/sh1/whatever). He doesn't like that idea for valid reasons (mainly compatibility with other systems that don't know shit about a hashed SSN).

I really wish congress would pass a law stating that no private entity without a federal charter can hold an SSN longer then 30-60 days. I could then share hashed SSNs with various other DBs because they would have to deal with those, or face the legal consequences.

Of course I think all commercial entities should be mandated to purge all customer data after two years as well. Why should Sears keep my SSN on file forever just because I had a credit card with them 10 years ago?

Re:Great.

[Jeff DeMaagd]

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million.

Is this a real budget cut, or a cut in projected increases?

Government budget cuts are the most preposterous lies I've seen in a long time. Say the next year's budget is slated to increase 8%. Let's just say that increase is reduced to 4%. Politicians, pundits and media people can then claim (or complain of) a 4% cut, despite that in reality, it was still an increase, the cut was from an imaginary budget that was never enacted. I wish my pay suffered a government budget cut.

Re:why do they have SSNs for customers?

[lazlo]

I've argued with my boss several times that we should dump the SSN and just keep a few hashes instead (md5/sh1/whatever). He doesn't like that idea for valid reasons (mainly compatibility with other systems that don't know shit about a hashed SSN).

I could be wrong about this, but here's another reason to think of. Hashing the SSN's in the database doesn't raise the bar much for ID thieves. There are 1G possible SSN's. According to my calculations (and the output of "openssl speed md5"), calculating and storing the MD5 of all of them would take my computer about 30 minutes and would take up about 20GB of drive space. After which, looking up an ssn from the hash would be fairly easy.

My first thought was "add some salt", but SSN's aren't passwords (although they're used like passwords fairly often), they're indexes. So if I've got info on my John Doe, and want to see what info you have on that same John Doe, unless we happened to use the same salt we're screwed.

The only solution I can see would be to use deterministic salt. store the MD5 of, for instance, the person's SSN.DOB. That would make it so that the problem for the attacker is (assuming he only cares about people 18-65 years old) 17,155 times harder. So now the database is over 300 TB, and it takes a year to calculate (on my machine). But it means that everyone has to start collecting DOB (which they mostly do anyway - but it would now be necessary) and would have to agree to use MD5(SSN.DOB) as a person's identifier. Thinking about it, that might not be so bad... But it'll still take an act of God or congress to get everyone to start doing it. And I'm guessing God might be more likely.

ENCRYPTION!!!!

[carlislematthew]

I'm getting fed up of these irresponsible companies backing up sensitive data with NO ENCRYPTION. We're talking about International companies here, sending plain-text data around on tapes. Sometimes, companies have been caught sending tapes through UPS!

It's realistic to expect that there is sensitive data out there - the answer is not to say "don't store my SSN", although that should certainly be restricted.

It seems to me that the answer is ENCRYPTION! Encrypt the data and you can back it up on fucking postcards and send it to my grandmother for all I care..