@monty75
Or possibly it was upgraded in Sept 18 to report additional types of activity as being suspicious. We shouldn't always assume the worst. Which of us has never upgraded software to make things better?
Marriott's Starwood hotels mega-hack: Half a BILLION guests' deets exposed over 4 years
US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …
-
-
-
Saturday 1st December 2018 12:41 GMT Anonymous Coward
Re: Being fair to Marriott
“Due Diligence...perhaps a pentest pre acquisition...then there is the two years since they bought it.“
I suspect this maybe a case of a large, decentralised infrastructure - it could be as simple as a long forgotten dial up connection that was used for support in the distant past.
Comprehensively testing for that type of flaw can be challenging and easily overlooked in the midst of cost cutting, staff changes and an acquisition.
-
-
Monday 3rd December 2018 08:10 GMT veti
Re: Being fair to Marriott
I thought that. I find it very hard to believe that anything remotely like half a billion separate people go anywhere near a Marriot hotel in any given five year period.
I mean, that's pretty close to the entire population of Europe and the USA combined. Including children. It doesn't pass the laugh test.
-
-
-
Friday 30th November 2018 14:25 GMT ISYS
Just wondering
Don't get me wrong these breaches are bad news but I was just wondering how many people have had real money stolen or an increase in spam because one of them?
I'm not saying these companies don't deserve everything they get in the way of fines etc I was just wondering what happens to the data.
-
Friday 30th November 2018 15:43 GMT batfink
Re: Just wondering
My card details got into the wild after the British Airways hack, and rogue transactions started to hit in < 24 hours. Fortunately my bank was on top of it (and yes I had notified them) and I think between us we caught all of the dodgy ones. So, yes it's very possible people lose "real money" from these breaches. I was lucky, and was paying attention.
As an aside: unfortunately this (and the subsequent card cancellation) hit exactly at the time I was trying to use the card to pay for a car hire in Italy, which added an extra layer of entertainment to the usual Italian car-hire circus.
-
Friday 30th November 2018 16:25 GMT ISYS
Re: Just wondering
Glad it worked out well (in the end) for you. Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones. Not difficult to do. I know this won't be convenient for everyone right now but as time goes on it seems to be the way to go.
-
-
Friday 30th November 2018 18:57 GMT yoganmahew
Re: Just wondering
"Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones."
Ha! I'll see your one-time pad and raise you contactless.
Then I'll raise you signatures in the US...
Then I'll raise you adding the tip in after you've signed the bill...
-
-
-
-
-
-
-
Sunday 2nd December 2018 07:54 GMT The Oncoming Scorn
Re: Homewrecker
Northern Minnesota is actually quite nice & I drove from from MSP up to & into Canada some years back, I don't think I enjoyed the drive up from Chicago back to MSP on the same trip around the Great Lakes (But the weather had turned it was wet\sleet) & the views weren't as great in the south, to the best of my recall.
-
-
-
-
Friday 30th November 2018 21:51 GMT Anonymous Coward
Address and reservation date
There's hardly ever any crossover between virtual and physical crime. They'd have to get this information in real time and have a nationwide network of burglars on call to monetize that. Even the mob wouldn't be able to do that these days.
Most likely the hackers are halfway around the world, and could care less about knowing when I'm out of my house for a few days.
-
-
Friday 30th November 2018 17:13 GMT JLV
Might not be as big as Yahoo! but that info seems a lot more identity-theftable. CC# are easy: just get a new one, the rest is not.
Are passport and DOBs # globally mandated for storage? I know France had police-requested guest registration info for a while, maybe still does. But most of the time now CC# and license plate is all that’s needed. DOB? Why?
Security 101: if you don’t store it, it can’t be hacked.
-
Friday 30th November 2018 18:11 GMT Peter X
Security 101: if you don’t store it, it can’t be hacked.
I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability* to them and they should delete what they can as soon as they can. If someone hasn't purchased from you in that last 6 months (and you're not an automatic repeat biller), then probably best to delete the card number... it's not like you're saving the customer loads of time re-entering it when they hardly order from you anyway.
* previously it made sense to hoard as much data as possible. With GDPR the mining potential is limited because you're not allow to exploit it easily, and obviously, with GDPR, data loss can = financial loss.
-
Monday 3rd December 2018 08:12 GMT Doctor Syntax
"I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability"
You're quite right but it's not easy to break the habits of a lifetime. It doesn't help that for a lot of management bods the desire to hoard and exploit data is part of their personality; it's what got them into those roles. It's probably going to take a few fines on a scale prompted by intent to make an example of the a few miscreants before the message gets through. And then a few more top tier fines on a few businesses who try to cover up to get that message through as well.
-
-
Friday 30th November 2018 20:12 GMT ElReg!comments!Pierre
I know France had police-requested guest registration
Always had, still have, although there ARE ways to slip through if you really want to. Most countries have similar requirements, especially for foreigners. I can't remember registering in in a hotel in the Americas, Europe, Asia or Africa without providing a piece of ID (or a couple of locally-tradable pieces of paper-money, which I tend not to do, out of principle)
-
-
Saturday 1st December 2018 00:21 GMT Nick Kew
Re: police-requested guest registration
Most countries seem to be a bit random IME. I've had hotels in Blighty, as well as various other countries in Europe and elsewhere, ask for my passport or comparable ID. And others that take a more relaxed attitude.
They do all seem to want a creditcard on booking and checkin. And recently they don't bother with it on checkout, which implies the capability to debit it some days later than reading it. I should hope that works with a single-use token rather than storing the whole thing!
-
Saturday 1st December 2018 01:00 GMT JLV
Re: police-requested guest registration
well then, if i was designing hotel POS systems, i’d
1. limit ID intake to strictly what’s _locally_ legally required.
2. upload to the relevant police db and delete
3. if 2 doesn’t exist, delete as soon as you reach end of locally legislated retention period.
fwiw, when I visit the US, it’s always just the CC# and car plate #. ditto within Canada. so that’s at least 2 countries not needing retention.
-
Monday 3rd December 2018 08:37 GMT Anonymous Coward
"they only get transferred from the hotel systems "on request"
In Italy was also common that an hotel could actually register you *only* if you paid with a traceable mean - lot of cash still in use - and often the card reader was "not working", especially for foreign tourists - to evade taxes they could not register a lot of guests... (more common in small hotels, big groups probably less so). Now with counter-terrorism rules, it could have become riskier.
-
-
-
-
Monday 3rd December 2018 08:14 GMT Doctor Syntax
"burning the CC's and going cash only. No checks either."
The way things are going it'll be impossible to get hold of cash, at least in the UK. You can't get cash from your now-closed bank branch and you'll need a card to get cash out of an ATM. And that assumes the ATM network survives.
It's high time retention of banking licences was tied to meeting standards of accessibility and customer service with the required standards being notched up each year.
-
Saturday 1st December 2018 11:11 GMT Pen-y-gors
500 million?
Nah! 500 million transactions, maybe, but not 500 million customers. Even if it's worldwide, I suspoect a lot are in the USA, and a fair proportion of the population there can't afford to stay in decent house, never mind a Marriot hotel. And I'm sure a lot of their customers tend to be regular repeat offenders, so probably only 50-100 million, i.e. less than Equifax. Pah! Piffling small change!
-
Monday 3rd December 2018 08:14 GMT Doctor Syntax
Re: 500 million?
Since 2014 some of the cards will have expired so they'll be counting the originals and the replacements. Then there are customers with multiple cards. And some of the customers will have changed address or given a home address sometimes and a business address at others. Even if it's card plus address combinations rather than transactions there'll be a good deal of multiple counting of individuals going on.
-
-
Saturday 1st December 2018 12:43 GMT MrMerrymaker
Data Shmata
Not that I don't already do it to a large extent online, but I'm starting to wonder why I don't just get black market new identities, just so when they get inevitably compromised, it's less upsetting.
Still. Happily not a Marriott customer, ever. When I contracted for IBM they did pay for a hotel once - oh, wait, Travelodge were already hit this past summer!
-
Saturday 1st December 2018 17:10 GMT adam payne
"Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014."
Unauthorised access for four years. The entire booking database with 500 million guest details in it but no one noticed anything.
Equifax were bitch slapped with a fine but these guys are going to be ass kicked.
-
Saturday 1st December 2018 17:58 GMT Michael Jarve
*YAWN*
Que the standard "We'll pay for credit monitoring (by handing all your info to Equifax) for a year, and we take customer yada-yada seriously, also we have measures in place like not having the admin password '1234' to probably make sure this doesn't happen again; also since you used our website, you agreed to the T&C's, and individual arbitration, no class-action lawsuits, and so on. We strive for excellence and value our relationship with
shareholders customersguests."This is getting old...
Biting the hand that feeds IT
