Marriott Says 500 million Starwood Guest Records Stolen in Massive Data Breach (techcrunch.com) 71
An anonymous reader writes: Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach. The hotel and resorts giant said in a statement filed with U.S. regulators that the "unauthorized access" to its guest database was detected on or before September 10 -- but may have dated back as far as 2014. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014," said the statement. "Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it."
Specific details of the breach remain unknown. We've contacted Starwood for more and will update when we hear back. The company said hat it obtained and decrypted the database on November 19 and "determined that the contents were from the Starwood guest reservation database." Some 327 million records contained a guest's name, postal address, phone number, date of birth, gender, email address, passport number, Starwood's rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.
Specific details of the breach remain unknown. We've contacted Starwood for more and will update when we hear back. The company said hat it obtained and decrypted the database on November 19 and "determined that the contents were from the Starwood guest reservation database." Some 327 million records contained a guest's name, postal address, phone number, date of birth, gender, email address, passport number, Starwood's rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.
Ding, ding, ding (Score:4, Funny)
Re: (Score:2, Funny)
Don't know why you bother being an AC here.....your details are all over the web.
Re: (Score:3)
Oopsie (Score:5, Funny)
Are they competing for Guinness World Record holder? Yahoo got top spot... until now.
Re: (Score:2)
So there should be fined, $250,000,000,000.
Re:Oopsie (Score:5, Insightful)
Either secure your shit with modern tools, or burn down the current system completely and start from scratch.
These will not stop happening unless some punishment is added.
Re: (Score:2)
Re: (Score:3)
COPPA is worse.
It is going to come out that they either didn't patch like they are suppose to or left something open.
Re: (Score:2)
"Let see. I think companies should be fined a minimum of $500 per user record lost. Unless its a true 0-day"
That sounds great until how you define a record. Does a receipt you don't take at McDonald's for a shake that ends up on the floor count as a lost record? And how do you define and qualify a "true 0-day"? And why $500?
If you did have fines like this, you would be the one paying for the increased security because Marriott or whoever would have to spend millions and maybe billions to ensure this never h
Re: (Score:1)
Re:Oopsie (Score:5, Interesting)
No, they are saying there are 500 million RECORDS, but, of course, Tech Crunch turned that into "customers" and Slashdot copy/pasted as always.
Re: (Score:2)
So they are saying Starwood has stored data for 500 million "customers". Isn't that ~6.4% of the world population? Sounds fishy to me.
I thought it seemed a bit high too so I checked . According to
https://www.statista.com/statistics/247310/number-of-starwood-hotels-and-resorts-hotel-rooms-worldwide/
" This statistic shows the number of Starwood Hotels and Resorts hotel rooms worldwide from 2009 to 2016. There were more than 339 thousand Starwood Hotels and Resorts hotel rooms worldwide as of January 1, 2014. "
That's a lot of rooms. Starwood includes many hotel brands.
Re: (Score:2)
Wow. Suddenly the number went from unbelievable to "1000 customers per hotel over X number of years". I almost got whiplash from that change in perception.
Re: (Score:2)
Re:Oopsie (Score:5, Informative)
Are they competing for Guinness World Record holder? Yahoo got top spot... until now.
Nothing will EVER top the OPM data breach of security clearance applications.
Address and CC number? Meh. OPM basically handed China the entire database of every cleared U.S. military or civilian person. Who they are. Where they work. What they do. Rank. Title. Clearance. ALL their dirty laundry. Crimes, convicted or not. Medical. Mental health. Finances. Drug use. Alcohol use. Foreign travel. Associations. Family (complete with SSN's for all!). Job history.
And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.
Re: (Score:3)
Are they competing for Guinness World Record holder? Yahoo got top spot... until now.
Nothing will EVER top the OPM data breach ...
And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.
Whoa. Dude. You got a t-shirt? Well I'm miffed. I'm getting the free MyIdcare.com credit monitoring. For the past couple years the only alerts I've gotten are for sexual predators moving into the neighborhood [goo.gl].
Re: (Score:3)
OPM basically handed China the entire database of every cleared U.S. military or civilian person.
Clarification: this quote is easily mis-read to mean "every cleared military person or civilian person", whereas it actually means "every military or civilian person who had a clearance", as wikipedia [wikipedia.org] says the number of people affected was 21 million (a very significant number, just not nearly as massive as the population of the US).
My question is... (Score:4, Interesting)
Re: (Score:1)
Because companies think data is the new oil.
The more they have, the more they can use it to make $$$
Re:My question is... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
In Europe it's likely a legal requirement *not* to do that now. As far as I can see "legitimate interest" and "performance of contract" pretty much ends when the bill is settled and the room not trashed.
Re: (Score:2)
And they need all this years after the customer has left?
Where do you get this from? The 2014 figure is how far back the breach may have been occurring, not how much it stores.
Based on what shows up in the app, I can see only the past 24 months worth.
Re: (Score:2)
If you get points for staying in their hotels, they have to track that somehow.
Re: (Score:3)
It's a problem of degrees. Name: yes, Phone number: good idea, Address: maybe, Credit card number: no - the card company can process that, DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.
This is a problem entirely of their own making and they should be held accountable. A monster fine may well drive one of them out of business, but it sure as
Re: (Score:2)
I was a Starwood member, and can fill in a few reasons/things:
Address: To send the membership card and some legally required mailings, not to mention verify billing address
Credit Card Number: Storing this was always optional, and like anywhere you save payments it is a convenience/security tradeoff.
DOB: I don't remember ever providing that
Drivers License, Passport number: Nope, never provided those either, even for international bookings or bookings involving parking fees.
Re: (Score:2)
Re: (Score:2)
Forgot about that. I can see where they might grab the passport info [they ask to make a copy], but the driver's license domestically they just look at the picture (I usually don't even need to take it out of the wallet).
Re: (Score:2)
DOB - wtf
Legal requirement in many countries.
Drivers license number, Passport number - really !
Legal requirement in MOST countries.
If there isn't a legal requirement then they help themselves to keep their database standard.
This is a problem entirely of their own making and they should be held accountable.
The breach is a problem of their own making. The fact that they had to collect this information is not.
Re: (Score:2)
Re: (Score:2)
MOST countries maybe - but do you know that they need to collect this in the USA ? What's driving that requirement, Homeland security ?
Answered in the third sentence of my post.
Re: (Score:2)
Name definitely.
Phone number definitely, as GP said contacting customers in an emergency can be necessary.
Address comes along with ID verification, also for sending membership cards etc. Most people likely sign up voluntarily.
Credit card saved for most guests as that will allow direct access to room service, mini-fridge in the room etc. Few would insist on having to whip out the card every single time.
Date of birth falls under ID verification and is usually printed on driver's license or passport which is w
Re: (Score:2)
DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.
That information is a legal requirement to be collected in many countries for foreign travellers, it isn't something they do because they want to.
Re: (Score:2)
Past reservation history allows you to alert them of sales, promotions, discounts for a place they have stayed a lot
Another reason that you should adopt some GDPR like laws. Not storing personal info just because they think they can make a buck from it, they have to have a legitimate business reason or get your explicit permission.
Re: (Score:2)
Agreed, there should be more transparency on what data is collected, how long it's retained, what it's used for, and the ability to opt out of data collection. That's also the reasoning behind the "contact preference" field mentioned in the OP. This is probably where they are storing the opt-in preferences to stay in compliance with the CAN-SPAM act.
In terms of the "why are they storing such things?", though, this list of stuff isn't exactly earth shattering in terms of what a hotel would store about a cust
Re: (Score:1)
Re: (Score:1)
There are legal record keeping requirements for hotels.
Re: (Score:1)
Much stiffer penalties (Score:2)
Re: (Score:1)
In order to prevent this from happening, there needs to be much stiffer penalties for incidents like this. I am not talking financial ones but criminal ones. Subject the entire senior management to arrest and criminal prosecution for failing to take reasonable safeguards against incidents like this. Then you watch how serious IT departments will take information security.
It will not happen and should not happen. The problem is the IT guys have to be perfect 100% of the time, while the bad guys only have to be right once. Can you honestly state that you have ever made it through a day without making a single error of any kind?
IBM (Score:2)
I think that was the contract I was on when I worked at IBM years ago. I was managing IRS and TSA security servers for the first year but managing the servers was outsourced to India so I switched to a 100% telecommute contract with Starwood.
Regardless, working 100% was pretty much hell as every communication was business only and very strict so there was no camaraderie amongst the team. It pretty much killed any desire to telecommute after that.
[John]
A MÃÃse once bit my sister (Score:2)
Those responsible for sacking the people who have just been sacked have been sacked.
Obviously they have no institutional memory and haven't learned from their past mistakes.
Never give out your real card number (Score:1)
That's two breach headlines this week. These happen so often it's ridiculous. This is why you should never use your real card number for anything.
For online I always advocate to use PayPal, Visa Checkout, Masterpass or other similar payment system where you do not provide your card number to the merchant. If they don't support any this is where I would use a Privacy virtual debit card number. This uses disposable debit card numbers so that you don't have to worry about it being reused after a breach. I've b
Another breach!... (Score:2)
... and STILL nobody truly gives a shit. Until their identities get stolen.
Isn't enough enough already? How do we fix this? (Score:3)
Last I heard around here, it's entirely likely that nothing is safe, not critical infrastructure systems, not even military systems. So what the actual fuck needs to happen, here? How do we fix this?
I know who did it .... (Score:2)
I've been getting some wonderful spam telemarketing calls telling about wonderful vacation opportunities based on being selected as a Marriott or Wyndham customer.
The spammers are behind the break in or bought the list from the hackers who broke in.
oh - s that's who owns that DB on AWS !! (Score:3)
Security researchers have been looking for years to see who owns certain "open" shared databases on AWS.
Apparently Marriot just stepped forward to claim ownership.
Now that our data is effectively out in the open - there is little to identity us from a trustworthy source. I wonder how banks (et al) are changing to address this. Seriously - if a bank or cellphone company called me to ask where my payment is, I'd ask them to prove "I" opened the account.
My data has been leaked multiple times. Ticketfly, Anthem, Marriott, Experian, and others I can't remember. (plus Amazon leaked my email address -- via a bug in their "forgot password" feature that returned an error message if the account didn't exist, which I reported to them... thank you... still waiting for my $$$).
So what data isn't public? Now that everything is public, nothing is private (If everyone is Super, then no-one is)
We keep hearing "500 million customers" but... (Score:2)
It's really 500 million RECORDS. That's a big difference... that's still a lot, but the number of different people actually involved in the breach is likely much, much lower.
Also, we keep hearing "going back to 2014" - which means somebody was accessing it back then, not that that represents the oldest information.
I really can't stand the ambiguity/imprecision of these sort of reports.