Marriott says data on 500m customers at risk in vast breach

[Sir Asvald]

Sources: https://www.ft.com/content/1a4a5dea-f492-11e8-9623-d7f9881e729f https://www.bbc.co.uk/news/technology-46401890

 

From https://www.ft.com

 

Quote

The world’s biggest hotel company Marriott International said on Friday the personal details of up to 500m guests were at risk as a result of a massive data breach that had been going on since 2014.

Marriott said its Starwood Hotels & Resorts guest reservation database had been the victim of a “security incident” and had been unlawfully accessed. The database contained the reservation details of up to 500m guests, of which around 327m records listed details including some combination of the person’s name, phone number and passport number among other things.

“For some, the information also includes payment card numbers and payment card expiration dates,” said Marriott in a statement.

The hotel chain said it had not been able to rule out the possibility that information needed to decrypt payment card numbers were taken.

Marriott said it had only become aware of the breach in September this year, when it was alerted by an internal security tool regarding an attempt to access the Starwood database in the US.

However, during the course of its internal investigation the hotel chain said it had learned “that there had been unauthorised access to the Starwood network since 2014.” Marriott bought the Starwood chain in 2016 for $13.6bn.

Marriott said it had determined the extent of the problem on November 19, following which it had notified law enforcement. The company said it was working with its insurance providers and expected to disclose costs related to the incident in due course, but said it did not anticipate the breach to “impact its long term financial health.”

Marriott said it had established a dedicated website and call centre to answer customer questions about the incident, and would also begin emailing affected guests to notify them of updates.

 

 

From https://www.bbc.co.uk/news

Quote

The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party.

It said an internal investigation found an attacker had been able to access to the Starwood network since 2014.

The company said it would notify customers whose records were in the database.

Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.

Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an "unauthorised party had copied and encrypted information".

It said it believed its database contained records of up to 500 million customers.

For about 327 million guests, the information included "some combination" of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information.

It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.

"We deeply regret this incident happened," the company said in a statement.

"Marriott reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities."

The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.

This is bad. I mean BAAADDD. Inscure passwords outdated software. Stuff never gets upgraded/upgraded. How can you not have any type of monitoring software or even hardware such as IDS/IPS. The company is worth over $2 Billion... 

 

 

 

[Slottr]

I work in the industry- the people behind IT for most of the big hotel brands don't do shit regarding security. I've been pushing for small things like transitioning to a password manager for nearly 5 months now and still nothing.

 

For a handful of the websites, it's backend is so outdated and weak a 10 year old could get into it. I'm not surprised this is coming to light.

 

[givingtnt]

3 minutes ago, Slottr said:

I work in the industry- the people behind IT for most of the big hotel brands don't do shit regarding security. I've been pushing for small things like transitioning to a password manager for nearly 5 months now and still nothing.

 

For a handful of the websites, it's backend is so outdated and weak a 10 year old could get into it. I'm not surprised this is coming to light.

 

What I find funny is, people think to protect against high level of threats
and then people come in, ask for the password pretending to be IT and get it.

 

just building a solid back end is not the solution to this.  especially with low level employees at a hotel who will likely not care.

[leadeater]

8 minutes ago, givingtnt said:

What I find funny is, people think to protect against high level of threats
and then people come in, ask for the password pretending to be IT and get it.

People in IT joke that all you need is a company shirt and a clipboard and you could walk in to any business you like and gain access to almost anything.

[Sir Asvald]

14 minutes ago, Slottr said:

I work in the industry- the people behind IT for most of the big hotel brands don't do shit regarding security. I've been pushing for small things like transitioning to a password manager for nearly 5 months now and still nothing.

 

For a handful of the websites, it's backend is so outdated and weak a 10 year old could get into it. I'm not surprised this is coming to light.

 

It's a joke. Most companies do not want to update or upgrade anything...

13 minutes ago, VegetableStu said:

RIP identity

RIP bank account ._.

Yep. ;-;

10 minutes ago, givingtnt said:

What I find funny is, people think to protect against high level of threats
and then people come in, ask for the password pretending to be IT and get it.

 

just building a solid back end is not the solution to this.  especially with low level employees at a hotel who will likely not care.

You'll be surprised, most people don't not know anything about security. I asked random people whether they know what SSL is, no one knew what it is..I even asked what a server etc. Not a single clue. They don't even know that websites are even secure...

[givingtnt]

Just now, leadeater said:

People in IT joke that all you need is a company shirt and a clipboard and you could walk in to any business you like and gain access to almost anything.

but its not a joke, people do that
I'VE DONE THAT

[Origami Cactus]

Just now, givingtnt said:

but its not a joke, people do that
I'VE DONE THAT

just to clarify, i reacted "Agree" for the first sentence, not the second.

[givingtnt]

1 minute ago, Abdul201588 said:

You'll be surprised, most people don't not know anything about security. I asked random people whether they know what SSL is, no one knew what it is..

what's your point here.
I don't need to know wtf ssl is to get acess to restricted parts of a building, a server room, or anything

Social Eng. is imo, much more dangerous than those high level hacks that people are so worried about.

a HACKER sounds much more threatening than this guy with a metal pad, a smile and a shirt that sais "Your companie's IT guy"

[givingtnt]

6 minutes ago, VegetableStu said:

story time?

I prooved a point to an ex employer.

 

but, if you really want to know a ton on how this works, here's a few links : 
 

Spoiler

 

 

but, usual disclaimer : 
Do NOT do this. unless you have express, written permission this is VERY ILLEGAL and can be dangerous (especially the elevator stuff).

[Sir Asvald]

Just now, givingtnt said:

what's your point here.
I don't need to know wtf ssl is to get acess to restricted parts of a building, a server room, or anything

Social Eng. is imo, much more dangerous than those high level hacks that people are so worried about.

a HACKER sounds much more threatening than this guy with a metal pad, a smile and a shirt that sais "Your companie's IT guy"

Oops. Qouted you by accident. 

[Bouzoo]

21 minutes ago, VegetableStu said:

RIP identity

 

Had to. 

[leadeater]

7 minutes ago, Bouzoo said:

 

Had to. 

[Sir Asvald]

Just now, huilun02 said:

Great! Now you can check if your spouse is unexpectedly on the guest list

If I had one.. and then how one afford a place at the Marriott.... We're poor.. 

 

*Cries in a corner* 

[Syntaxvgm]

I get a spam call at least once every 2 days for 

"MY RECENT STAY AT MARRIOTT HOTELS!"

Maybe now with some proper data the spammers can at least try something more targeted. 

[mynameisjuan]

4 hours ago, leadeater said:

People in IT joke that all you need is a company shirt and a clipboard and you could walk in to any business you like and gain access to almost anything.

When I have to dispatch out to customer sites, most the time I am speaking with their engineers remotely. I just walking in with a shirt and a laptop and say I need to get to your equipment...they have no clue and just let me in. 

 

I am doing this for my job and it blows me away, no call to verify, no license check, no company badge check, just "sure, down the hall to your left, door code is XXXXX"

[williamcll]

Hotel computer security has been awful for decades, this was bound to happen.

[Tellos]

This is why my company requires a RFID badge to get anywhere and it has to be set with permissions to get into places. I can enter the building for instance, go to most places but IT or second floor my badge dont work.Cause their not my work place.

[EthanHunt007]

Oh my god..... 

[strajk-]

It's weird how their info page states that only Hotels under the Starwood Prefered Guest Program (SPG) are affected, yet urge you to still be alerted if you stayed in a Starwood Property even if you're not a SPG member...so at least give a website to look up which properties belong to that subsidiary?

They also only give information on how to deal with this data breach for U.S, Canada and UK.

 

I stayed exactly twice at a Marriott Hotel for the past 5 years, the one in Hannover, so I'm wondering if I will ever get that email from their System, saying that I was one of the affected guests...so I decided to look it up instead of waiting.

 

The only somewhat reliable source I found was in their own website at the footer, there is an image that groups all Brands into the Programs they offer, in my case, The Hannover Marriott Hotel belongs to the Courtyard Brand, which belongs to Marriott Rewards, not SPG, here a printscreen of it:

 

You can find a list of their Brands here: https://www.marriott.com/marriott-brands.mi#

There might be a place with more reliable info, issue is that their website layouts are the text book definition of a bad layout, finding what you're looking for is extremely hard and the whole layout is bloated with unnecessary information.

 

Also doubt this breach was SPG exclusive, so all I can do is wait for Marriott to contact me or not...I'll notice anyways if all of a sudden I start getting Emails going towards this direction.

[leadeater]

1 hour ago, strajk- said:

Also doubt this breach was SPG exclusive

In this case it looks like it is. They acquired the SPG business and what is usually the case they run everything as is since before, computer systems etc.  Basically least effort maximum profit, only much later (if ever) would they look at merging things in to a single system as it's costly and risky to do so.

[strajk-]

2 hours ago, leadeater said:

In this case it looks like it is. They acquired the SPG business and what is usually the case they run everything as is since before, computer systems etc.  Basically least effort maximum profit, only much later (if ever) would they look at merging things in to a single system as it's costly and risky to do so.

Let's hope that is indeed the case.