Marriott Discloses Missing Data Files 162
An anonymous reader writes "Marriott International has admitted that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company." From the Washington Post story: "Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost. An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes."
why do they have SSNs for customers? (Score:5, Interesting)
Time-share owners, maybe, employees definately, but customers? Why?
Re:Identify theft a fad? (Score:5, Interesting)
This is a quite old crime. The difference is that now identity theft of everyday people can be lucrative, and you don't even need to look like them or deal with tricking others. And you don't have to worry about being lynched or stoned, just going to jail.
Re:Lost != Stolen (Score:4, Interesting)
Considering the time of year, no doubt some Marriott PHB who was looking for some extra X-Mas cash decided to "sell their list". While many companies have absolutely no qualms about selling customer information (AKA creating a new "profit center"),
I am more inclided to believe that the backup tapes were lost or stolen, rather than a conscious effort to create a new corporate profit center.
Then again, John Poindexter's "Total Information Awareness" project (entirely DoD databases) was morphed into "MATRIX", which was designed to make use of multiple commercial (and commercially available) databases. So, perhaps, it was was merely an "extra patriotic" Marriott employee.
Considering recent events in the news (non-FISA approved wiretapping), perhaps one possibility is just as scary as the other...
Re:why do they have SSNs for customers? (Score:4, Interesting)
Well, even if so...why did they keep the numbers? I've run into things where people wanted my SSN....which I pretty much refuse to give to anyone not associated with ssn taxes....but, to get around it...I just give a deposit in lieu of SSN.
Use a stream cipher (Score:3, Interesting)
With that set up, encrypt the main contents of the tape with a stream cipher (say, RC4) with the tape key.
This way, damage to a certain area of the tape will not result in a complete loss of data. Using a random key for each tape eliminates the big cryptographic no-no of using a stream cipher key twice.
Melissa