Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security

Marriott Says 500 million Starwood Guest Records Stolen in Massive Data Breach (techcrunch.com) 71

An anonymous reader writes: Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach. The hotel and resorts giant said in a statement filed with U.S. regulators that the "unauthorized access" to its guest database was detected on or before September 10 -- but may have dated back as far as 2014. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014," said the statement. "Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it."

Specific details of the breach remain unknown. We've contacted Starwood for more and will update when we hear back. The company said hat it obtained and decrypted the database on November 19 and "determined that the contents were from the Starwood guest reservation database." Some 327 million records contained a guest's name, postal address, phone number, date of birth, gender, email address, passport number, Starwood's rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.

This discussion has been archived. No new comments can be posted.

Marriott Says 500 million Starwood Guest Records Stolen in Massive Data Breach

Comments Filter:
  • by Anonymous Coward on Friday November 30, 2018 @09:53AM (#57725750)
    I'm a winner again in the data breach sweepstakes. I feel special.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Don't know why you bother being an AC here.....your details are all over the web.

    • You're not special. They lost more records than there are people in the U.S., Canada and Mexico combined. This wasn't a data breach, it was a data dump. We need laws the punish these... ahem, irresponsible companies.
  • Oopsie (Score:5, Funny)

    by war4peace ( 1628283 ) on Friday November 30, 2018 @09:56AM (#57725780)

    Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

    • Let see. I think companies should be fined a minimum of $500 per user record lost. Unless its a true 0-day

      So there should be fined, $250,000,000,000.
      • "Let see. I think companies should be fined a minimum of $500 per user record lost. Unless its a true 0-day"

        That sounds great until how you define a record. Does a receipt you don't take at McDonald's for a shake that ends up on the floor count as a lost record? And how do you define and qualify a "true 0-day"? And why $500?

        If you did have fines like this, you would be the one paying for the increased security because Marriott or whoever would have to spend millions and maybe billions to ensure this never h

    • by Anonymous Coward
      So they are saying Starwood has stored data for 500 million "customers". Isn't that ~6.4% of the world population? Sounds fishy to me.
      • Re:Oopsie (Score:5, Interesting)

        by war4peace ( 1628283 ) on Friday November 30, 2018 @10:18AM (#57725884)

        No, they are saying there are 500 million RECORDS, but, of course, Tech Crunch turned that into "customers" and Slashdot copy/pasted as always.

      • So they are saying Starwood has stored data for 500 million "customers". Isn't that ~6.4% of the world population? Sounds fishy to me.

        I thought it seemed a bit high too so I checked . According to

        https://www.statista.com/statistics/247310/number-of-starwood-hotels-and-resorts-hotel-rooms-worldwide/

        " This statistic shows the number of Starwood Hotels and Resorts hotel rooms worldwide from 2009 to 2016. There were more than 339 thousand Starwood Hotels and Resorts hotel rooms worldwide as of January 1, 2014. "

        That's a lot of rooms. Starwood includes many hotel brands.

        • by Calydor ( 739835 )

          Wow. Suddenly the number went from unbelievable to "1000 customers per hotel over X number of years". I almost got whiplash from that change in perception.

    • I thought Equifax was king...
    • Re:Oopsie (Score:5, Informative)

      by Anonymous Coward on Friday November 30, 2018 @10:44AM (#57726004)

      Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

      Nothing will EVER top the OPM data breach of security clearance applications.

      Address and CC number? Meh. OPM basically handed China the entire database of every cleared U.S. military or civilian person. Who they are. Where they work. What they do. Rank. Title. Clearance. ALL their dirty laundry. Crimes, convicted or not. Medical. Mental health. Finances. Drug use. Alcohol use. Foreign travel. Associations. Family (complete with SSN's for all!). Job history.

      And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.

      • Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

        Nothing will EVER top the OPM data breach ...

        And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.

        Whoa. Dude. You got a t-shirt? Well I'm miffed. I'm getting the free MyIdcare.com credit monitoring. For the past couple years the only alerts I've gotten are for sexual predators moving into the neighborhood [goo.gl].

      • OPM basically handed China the entire database of every cleared U.S. military or civilian person.

        Clarification: this quote is easily mis-read to mean "every cleared military person or civilian person", whereas it actually means "every military or civilian person who had a clearance", as wikipedia [wikipedia.org] says the number of people affected was 21 million (a very significant number, just not nearly as massive as the population of the US).

  • My question is... (Score:4, Interesting)

    by thomn8r ( 635504 ) on Friday November 30, 2018 @10:03AM (#57725810)
    Why are the storing all that data in the first place?
    • by Anonymous Coward

      Because companies think data is the new oil.
      The more they have, the more they can use it to make $$$

    • by enjar ( 249223 ) on Friday November 30, 2018 @10:26AM (#57725916) Homepage
      It's pretty routine information for a hotel to have on file. Imagine you were running a hotel ... what would you want to know about your customers?
      • When they are coming. You need to know how many rooms are booked to schedule staff, etc.
      • Who they are so you can verify them when they show up (name, address, DOB, etc)
      • How to contact them if you need to. For example, a water pipe bursts making the hotel uninhabitable and you need to let them know.
      • Passport number would be important for international visitors (and might be required by law)
      • Past reservation history allows you to alert them of sales, promotions, discounts for a place they have stayed a lot
      • Rewards number and balance is necessary for room upgrades, etc
      • by thomn8r ( 635504 )
        And they need all this years after the customer has left?
        • by enjar ( 249223 )
          Could be a legal requirement for the area the hotel is located in. Some countries are creepier than others.
          • by Anonymous Coward

            In Europe it's likely a legal requirement *not* to do that now. As far as I can see "legitimate interest" and "performance of contract" pretty much ends when the bill is settled and the room not trashed.

        • And they need all this years after the customer has left?

          Where do you get this from? The 2014 figure is how far back the breach may have been occurring, not how much it stores.

          Based on what shows up in the app, I can see only the past 24 months worth.

        • If you get points for staying in their hotels, they have to track that somehow.

      • It's a problem of degrees. Name: yes, Phone number: good idea, Address: maybe, Credit card number: no - the card company can process that, DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.

        This is a problem entirely of their own making and they should be held accountable. A monster fine may well drive one of them out of business, but it sure as

        • I was a Starwood member, and can fill in a few reasons/things:
          Address: To send the membership card and some legally required mailings, not to mention verify billing address
          Credit Card Number: Storing this was always optional, and like anywhere you save payments it is a convenience/security tradeoff.
          DOB: I don't remember ever providing that
          Drivers License, Passport number: Nope, never provided those either, even for international bookings or bookings involving parking fees.

          • I often get asked for ID when I check in, not when I make a booking. I suspect they harvest the information then.
            • Forgot about that. I can see where they might grab the passport info [they ask to make a copy], but the driver's license domestically they just look at the picture (I usually don't even need to take it out of the wallet).

        • DOB - wtf

          Legal requirement in many countries.

          Drivers license number, Passport number - really !

          Legal requirement in MOST countries.

          If there isn't a legal requirement then they help themselves to keep their database standard.

          This is a problem entirely of their own making and they should be held accountable.

          The breach is a problem of their own making. The fact that they had to collect this information is not.

          • MOST countries maybe - but do you know that they need to collect this in the USA ? What's driving that requirement, Homeland security ?
            • MOST countries maybe - but do you know that they need to collect this in the USA ? What's driving that requirement, Homeland security ?

              Answered in the third sentence of my post.

        • by Calydor ( 739835 )

          Name definitely.
          Phone number definitely, as GP said contacting customers in an emergency can be necessary.
          Address comes along with ID verification, also for sending membership cards etc. Most people likely sign up voluntarily.
          Credit card saved for most guests as that will allow direct access to room service, mini-fridge in the room etc. Few would insist on having to whip out the card every single time.
          Date of birth falls under ID verification and is usually printed on driver's license or passport which is w

        • DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.

          That information is a legal requirement to be collected in many countries for foreign travellers, it isn't something they do because they want to.

      • by AmiMoJo ( 196126 )

        Past reservation history allows you to alert them of sales, promotions, discounts for a place they have stayed a lot

        Another reason that you should adopt some GDPR like laws. Not storing personal info just because they think they can make a buck from it, they have to have a legitimate business reason or get your explicit permission.

        • by enjar ( 249223 )

          Agreed, there should be more transparency on what data is collected, how long it's retained, what it's used for, and the ability to opt out of data collection. That's also the reasoning behind the "contact preference" field mentioned in the OP. This is probably where they are storing the opt-in preferences to stay in compliance with the CAN-SPAM act.

          In terms of the "why are they storing such things?", though, this list of stuff isn't exactly earth shattering in terms of what a hotel would store about a cust

      • Comment removed based on user account deletion
    • by Anonymous Coward

      There are legal record keeping requirements for hotels.

    • Comment removed based on user account deletion
  • In order to prevent this from happening, there needs to be much stiffer penalties for incidents like this. I am not talking financial ones but criminal ones. Subject the entire senior management to arrest and criminal prosecution for failing to take reasonable safeguards against incidents like this. Then you watch how serious IT departments will take information security.
    • by Anonymous Coward

      In order to prevent this from happening, there needs to be much stiffer penalties for incidents like this. I am not talking financial ones but criminal ones. Subject the entire senior management to arrest and criminal prosecution for failing to take reasonable safeguards against incidents like this. Then you watch how serious IT departments will take information security.

      It will not happen and should not happen. The problem is the IT guys have to be perfect 100% of the time, while the bad guys only have to be right once. Can you honestly state that you have ever made it through a day without making a single error of any kind?

  • by Bigbutt ( 65939 )

    I think that was the contract I was on when I worked at IBM years ago. I was managing IRS and TSA security servers for the first year but managing the servers was outsourced to India so I switched to a 100% telecommute contract with Starwood.

    Regardless, working 100% was pretty much hell as every communication was business only and very strict so there was no camaraderie amongst the team. It pretty much killed any desire to telecommute after that.

    [John]

  • by Anonymous Coward

    That's two breach headlines this week. These happen so often it's ridiculous. This is why you should never use your real card number for anything.

    For online I always advocate to use PayPal, Visa Checkout, Masterpass or other similar payment system where you do not provide your card number to the merchant. If they don't support any this is where I would use a Privacy virtual debit card number. This uses disposable debit card numbers so that you don't have to worry about it being reused after a breach. I've b

  • ... and STILL nobody truly gives a shit. Until their identities get stolen.

  • It seems pretty clear to me that 'data security' doesn't exist, and any data stored anywhere that isn't literally air-gapped is fair game for any script-kiddie with an Internet connection (and even then, air-gapped doesn't exclude you from 'social engineering' and phishing attacks). So how do we fix this? Is it really just a matter of humans being careless, and we need a judicial (perhaps a literal use of the word) application of the Clue-by-Four to administrators and executives? Or are the programmers and systems administrators to blame?

    Last I heard around here, it's entirely likely that nothing is safe, not critical infrastructure systems, not even military systems. So what the actual fuck needs to happen, here? How do we fix this?
  • I've been getting some wonderful spam telemarketing calls telling about wonderful vacation opportunities based on being selected as a Marriott or Wyndham customer.

    The spammers are behind the break in or bought the list from the hackers who broke in.

  • by ripvlan ( 2609033 ) on Friday November 30, 2018 @03:52PM (#57728326)

    Security researchers have been looking for years to see who owns certain "open" shared databases on AWS.

    Apparently Marriot just stepped forward to claim ownership.

    Now that our data is effectively out in the open - there is little to identity us from a trustworthy source. I wonder how banks (et al) are changing to address this. Seriously - if a bank or cellphone company called me to ask where my payment is, I'd ask them to prove "I" opened the account.

    My data has been leaked multiple times. Ticketfly, Anthem, Marriott, Experian, and others I can't remember. (plus Amazon leaked my email address -- via a bug in their "forgot password" feature that returned an error message if the account didn't exist, which I reported to them... thank you... still waiting for my $$$).

    So what data isn't public? Now that everything is public, nothing is private (If everyone is Super, then no-one is)

  • It's really 500 million RECORDS. That's a big difference... that's still a lot, but the number of different people actually involved in the breach is likely much, much lower.

    Also, we keep hearing "going back to 2014" - which means somebody was accessing it back then, not that that represents the oldest information.

    I really can't stand the ambiguity/imprecision of these sort of reports.

No spitting on the Bus! Thank you, The Mgt.

Working...