nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Marriott's Starwood hotels mega-hack: Half a BILLION guests' deets exposed over 4 years

Anonymous Coward
Anonymous Coward

Equifax, 143 Million

Lest we forget.

Anonymous Coward
Anonymous Coward

Re: Equifax, 143 Million

Is this breach soley in the states or is it going to involve some European action??

Empire of the Pussycat

Re: Equifax, 143 Million

it's global

if you used a spg hotel 2014- i'd assume your data are in there

katrinab
Silver badge

Re: Equifax, 143 Million

Le Méridien Piccadilly in London is one of the hotels affected. Also, Europeans do visit the USA.

Craigie
Bronze badge

Card numbers

Remind me again why card numbers aren't all single-use and virtual yet?

heyrick
Silver badge

Re: Card numbers

Probably too much bother to implement widely. Some banks offer it, most don't seem to...

heyrick
Silver badge

Re: Card numbers

Reply to my reply to add that I wanted to geoblock my card to only work on this continent. The website says to go to the branch. The staff at the branch had ZERO idea, and suggested something entirely different. Duh.

Graham 32

Re: Card numbers

Is there anyone in the UK that does this? (I think Cahoot used to but long since stopped) I'd like it so I don't have to phone insurance companies every year to tell them I don't want to auto-renew.

GnuTzu
Bronze badge

Re: Card numbers

This put a few thoughts in my head. I've done PCI in the restaurant industry, and credit card numbers never need to be stored there. But, do I understand correctly that hotels keep numbers on file for ongoing charges and a hedge against guests who might take off without paying? That's a major challenge. Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel. That way the hotel can deal with ongoing charges without storing a card number that could potentially be used by anybody. But, given the time it took to get chips in the states, I imagine this won't happen over night.

gryphon

Re: Card numbers

Revolut do disposable virtual debit cards with a premium subscription. £7 pm I think.

Probably similar banks do as well.

They've also got a location based security, do / don't allow contactless or internet purchase and freeze card options with their standard service.

I do remember seeing Barclays advertising at least the freeze card option.

So called 'challenger' banks are probably more likely to offer these features than the big boys as a differentiator.

Personally I started using Revolut because it allows me to do commission free foreign transfers at the interbank rate but YMMV.

Anonymous Coward
Anonymous Coward

Re: Card numbers

Well Mariott use The Opera property management system which is now owned by Oracle.

They were also one of the first to sign up to using it in the Oracle Cloud. Therefore there should not be a customer database that would locally be accessible to anyone.

The Opera system can also utilise the Oracle Payment Interface (OPI). This does allow modern fully tokenised credit card support, however this has only been available for a short time and would not be the default with this service.

Opera also has a number of APIs that allow you to retrieve and download customer data and can download CC data that isn't tokenised.

So maybe they were polling the data down from the cloud into a separate db, maybe their web service was copying the data to an internal db when it was making the booking.

Marriott have said "We also do a lot of research on transactional data to understand the value of getting an additional point of conversion through a new medium and what helps to drive that conversion. Based on what the data shows us and what customers are telling us, we try to marry the two together to reach informed decisions about the business."

So it would seem they like to pull data into a centralised analytics system of some kind.

Hopefully it won't be Oracle's cloud which has had issues!

Anonymous Coward
Anonymous Coward

Re: Card numbers

"Revolut do disposable virtual debit cards with a premium subscription. £7 pm I think."

My key problem with with Revolut is there appear to be very high levels of Russian links at senior levels.

richardcox13

Re: Card numbers

> Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel.

Just like the APIs that most card processors provide, and have done for years?

When that ecommerce site offers to save your payment details, this is what should be used. There is no need to hold details (beyond a few masked digits so customers can recognise which card has been saved).

(Might be all card processors for all I know, certainly the APIs I've used all have this option.)

Anonymous Coward
Anonymous Coward

Re: Card numbers

"Just like the APIs that most card processors provide, and have done for years?"

There's a little bit more to it than that. Fine if you are just creating an e-commerce website but dealing with a full fat property management system that is interlinked with multiple third party system, then the payment service provider is just a small chink in the chain. There are multiple factors involved with running full tokenisation, including the requirement for a hotel's special allowance to do long term deposits, card authorisations and end-of-day re-authorisations (once again across multiple systems from different suppliers).

SO the API that allowed it for Opera (which Marriott uses AFAIK) has only become properly available in proper way since the Oracle Payment Interface and API became available to use this year. Even then it only works with a PSP and that supports it, and they in turn have to support your PED and both of them have to support your Acquirer, which also have to support your bank. If you have legacy suppliers it gets a bit harder.

katrinab
Silver badge

Re: Card numbers

Revolut I think offers it, but it is a prepaid card, so no S75 protection.

Tomato Krill

Re: Card numbers

Revolut

Graeme Carstairs

Re: Card numbers

Revolut offer disposable virtual cards. on their premium services or a normal virtual card on their standard services.

wyatt

Re: Card numbers

I've done the opposite before, flag that the card is going out of the UK. It'd be useful to put blocks in place as well.

Efer Brick

Re: Card numbers

Revolut

Anonymous Coward
Anonymous Coward

Re: Card numbers

Actually I can see that Sharwood may well be on a different system to Marriott so they probably have a local db and system.

StuntMisanthrope
Bronze badge

Re: Card numbers

If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality nor Opera which is Java and Opera Cloud v1 isn't widespread in general except for the fleet and test-beds, plus the acquisition was a couple of years later. It sounds to me like its loyalty related, though I'm not familiar with their architecture other than common knowledge.

StuntMisanthrope
Bronze badge

Re: Card numbers

This is also one of the reasons, Larry has been banging on about for good reason, Cloud v2 and bare metal because of the numbers involved etc...

Mr. Flibble

Re: Card numbers

1. Not all hotels have Opera cloudy servers. Some are still physically at the hotel.

2. It's quite possible that they breached "Valhalla", their back-end reservations database. This is probably why it is limited to Starwood hotels and not the whole group, as Marriott use a different system.

robidy

Re: Card numbers

That's exactly why innovative startups succeed in all industries...a defence of the status quo as opposed to a drive for positive improvement.

You can change and improve if you want to.

You can have multiple accounts so you can do an orderly transition...heck acquirers will give you a temp account to help with the transition...you just have to ask for one.

fnusnu

Re: Card numbers

My key problem with REvolut is this:

3.4. When we hold Electronic Money for you, us holding the funds corresponding to the Electronic Money is not the same as a Bank holding money for you in that: […] © your Electronic Money is not covered by the Financial Services Compensation Scheme.

Pen-y-gors
Silver badge

Re: Card numbers

@wyatt

I've done the opposite before, flag that the card is going out of the UK.

It must be 10 years ago that I visited Chile. After a couple of days tried to use my debit card to withdraw cash - nope! Seconds later got a text from the bank telling me about it and saying to reply to unblock.

Had similar texts (but not blocks) when I used Lloyds CC to order stuff directly from a shop in Santiago. "Was this you? If not phone...."

But yes, why does anyone need to store CC numbers once the transaction has been verified - or even before if you use a portal like Paypal?

tfb
Silver badge

Re: Card numbers

What you want is something like a kerberos ticket: a token which proves you've seen the card and which gives you some rights (like taking money from the card up to some limit) for a finite time, beyon which it becomes valueless.

From other replies it looks as if these do exist?

Ledswinger
Silver badge

Re: Card numbers

If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality ....

But what about the acquired businesses that Oracle borged? In particular, Micros, who were an EPOS and hospitality specialist, and themselves a product of the horrible "snowball acquisition" model that afflict ERP and EPOS vendors.

Ian Michael Gumby
Silver badge
Boffin

@Craigie Re: Card numbers

Actually there is a product you can get for online purchases.

The other thing that there is a company that tokenizes the CC details so that companies like Marriot doesn't store the CC # and stuff.

There's more, but the real problem is that we have the Mongol horde of programmers who really don't know what they are doing behind the scenes. (Or you could use Vandals too ... )

Yet Another Anonymous coward
Silver badge

Re: Card numbers

>But yes, why does anyone need to store CC numbers once the transaction has been verified

Hotels get a special PCI exemption (like car rental), otherwise they would need your card when you book to take a deposit, you queue again at checkin to pay, then you queue at checkout to pay for any other charges.

People don't like queuing and the majority of hotels in the USA are booked on business trips so nobody cares if the card is ripped off

Anonymous Coward
Anonymous Coward

Re: Card numbers

After working in banking for four years and moved on from that horror show, I can confirm that nearly every major bank does have this feature

. Pretty much depending on who you bank with will determine which department you contact. I know that during banking hours 9am - 5pm ish you can speak to debit card fraud prevention and they will be able to add this feature, however depending on the agent you get will depend on whether or not they implement it. I know that's not the most useful answer but its pretty accurate.

Anonymous Coward
Anonymous Coward

Re: Card numbers

Monzo and Starlight are two alternatives that have Western Corruption instead of Russian ;).

Moog42

Re: Card numbers

FSCS doesn't cover any form of electronic money, makes me nervous of even my £12.50 delay repay payment from Virgin Trains...

johnboy1

Re: Card numbers

No, it's not Opera.

Md_pepa

Fines

Lets hope the EU based regulators get a decent slice of the pie first, instead of the typical bank robberies we see from regulators over the pond.

Amusing if it was just “Royal Concierge”, the GCHQ program.

Graham 32

email-marriott.com

email-marriott.com? Really? That looks like a scam from the get go.

steamdesk_ross

Re: email-marriott.com

Maybe they can't safely publish pages on marriott.com at the moment... Just a thought.

Nick

Kroll

Has anyone tried to register with Kroll? The registration failed for me with an error and now retrying the process tells me that my email is already registered, but password recovery says I don't exist.

This doesn't make me feel more secure.

Empire of the Pussycat

Re: Kroll

worked for me, though i did it before the el reg posting, even then it was quite a while before i saw a confirmation email

as the news spreads i'd think more and more people will be registering and it'll get slower or maybe have a wobbly

Anonymous Coward
Anonymous Coward

Re: Kroll

The ones who were hacked by Telecom Italia rogue hacker group some years ago?

Hope they improved their security as well...

Nick

Re: Kroll

Thanks for the feedback - I've now received my email, to the correct address, but the website still claims that my email is invalid.

I've spoken to a very nice man on the helpline who admitted that he's only there to handle to calls, he has nothing more he can do for me apart from pass it on to tech support.

sigh

StuntMisanthrope
Bronze badge

Data protection laws of world.

It’s hefty and you’ll need a couple of reams of paper.

To save you the trouble. In my opinion we need a global legal API (!?) framework.

If you know your PCI and loyalty there’s big gaps continent wise and there also needs to be a discussion about geo-location silo-ing, escrow, times expiry and mega-data policy. #whatsyourvectorvictor

StuntMisanthrope
Bronze badge

Re: Data protection laws of world.

Forgot to mention or leverage. I’d also like to see true zero loss financial data anonymisation with credit validation by encrypted checksum.

Pascal Monett
Silver badge

Re: Data protection laws of world.

You're absolutely right. This situation is ridiculous - let's create a new standard.

StuntMisanthrope
Bronze badge

Re: Data protection laws of world.

Tweet the G20, that's what you're here for. Not a new standard either. China and Africa are mag-stripe and the states are somewhere in between. If you've travelled through the middle with foreign cards, it's a lottery whether, POS, ATM or ePOS works anyway. This is why I moan about banking etc... #quellesurprise #enthalpyoscillation

monty75
Silver badge
FAIL

Intruder in their network since 2014. Monitoring system noticed it in September 2018. Had someone forgotten to switch it on for four years?

cbars

or they only built it thus year. hmmm, what could have prompted that new found interest in the processing of personal info. Some companies just Genuinely Don't Perceive Risk, and sometimes they do, but only once it's too late.

steviebuk
Silver badge

Possibly had someone in charge who didn't want to pay out for IT security. And now has someone who finally did want to pay out.

Anonymous Coward
Anonymous Coward

@steviebuk

So obviously all the losses from this are on the new guy, right?

"If we never looked, we'd never know we were breached."

adgec

They meant to say 'recently purchased monitoring system which their IT team had been requesting for 4 years and only recently got signed off when they stuck the letters G,D,P and R in their business case'

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing