@monty75
Or possibly it was upgraded in Sept 18 to report additional types of activity as being suspicious. We shouldn't always assume the worst. Which of us has never upgraded software to make things better?
US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …
“Due Diligence...perhaps a pentest pre acquisition...then there is the two years since they bought it.“
I suspect this maybe a case of a large, decentralised infrastructure - it could be as simple as a long forgotten dial up connection that was used for support in the distant past.
Comprehensively testing for that type of flaw can be challenging and easily overlooked in the midst of cost cutting, staff changes and an acquisition.
I thought that. I find it very hard to believe that anything remotely like half a billion separate people go anywhere near a Marriot hotel in any given five year period.
I mean, that's pretty close to the entire population of Europe and the USA combined. Including children. It doesn't pass the laugh test.
Don't get me wrong these breaches are bad news but I was just wondering how many people have had real money stolen or an increase in spam because one of them?
I'm not saying these companies don't deserve everything they get in the way of fines etc I was just wondering what happens to the data.
My card details got into the wild after the British Airways hack, and rogue transactions started to hit in < 24 hours. Fortunately my bank was on top of it (and yes I had notified them) and I think between us we caught all of the dodgy ones. So, yes it's very possible people lose "real money" from these breaches. I was lucky, and was paying attention.
As an aside: unfortunately this (and the subsequent card cancellation) hit exactly at the time I was trying to use the card to pay for a car hire in Italy, which added an extra layer of entertainment to the usual Italian car-hire circus.
Glad it worked out well (in the end) for you. Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones. Not difficult to do. I know this won't be convenient for everyone right now but as time goes on it seems to be the way to go.
"Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones."
Ha! I'll see your one-time pad and raise you contactless.
Then I'll raise you signatures in the US...
Then I'll raise you adding the tip in after you've signed the bill...
Northern Minnesota is actually quite nice & I drove from from MSP up to & into Canada some years back, I don't think I enjoyed the drive up from Chicago back to MSP on the same trip around the Great Lakes (But the weather had turned it was wet\sleet) & the views weren't as great in the south, to the best of my recall.
There's hardly ever any crossover between virtual and physical crime. They'd have to get this information in real time and have a nationwide network of burglars on call to monetize that. Even the mob wouldn't be able to do that these days.
Most likely the hackers are halfway around the world, and could care less about knowing when I'm out of my house for a few days.
Might not be as big as Yahoo! but that info seems a lot more identity-theftable. CC# are easy: just get a new one, the rest is not.
Are passport and DOBs # globally mandated for storage? I know France had police-requested guest registration info for a while, maybe still does. But most of the time now CC# and license plate is all that’s needed. DOB? Why?
Security 101: if you don’t store it, it can’t be hacked.
Security 101: if you don’t store it, it can’t be hacked.
I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability* to them and they should delete what they can as soon as they can. If someone hasn't purchased from you in that last 6 months (and you're not an automatic repeat biller), then probably best to delete the card number... it's not like you're saving the customer loads of time re-entering it when they hardly order from you anyway.
* previously it made sense to hoard as much data as possible. With GDPR the mining potential is limited because you're not allow to exploit it easily, and obviously, with GDPR, data loss can = financial loss.
"I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability"
You're quite right but it's not easy to break the habits of a lifetime. It doesn't help that for a lot of management bods the desire to hoard and exploit data is part of their personality; it's what got them into those roles. It's probably going to take a few fines on a scale prompted by intent to make an example of the a few miscreants before the message gets through. And then a few more top tier fines on a few businesses who try to cover up to get that message through as well.
Always had, still have, although there ARE ways to slip through if you really want to. Most countries have similar requirements, especially for foreigners. I can't remember registering in in a hotel in the Americas, Europe, Asia or Africa without providing a piece of ID (or a couple of locally-tradable pieces of paper-money, which I tend not to do, out of principle)
Most countries seem to be a bit random IME. I've had hotels in Blighty, as well as various other countries in Europe and elsewhere, ask for my passport or comparable ID. And others that take a more relaxed attitude.
They do all seem to want a creditcard on booking and checkin. And recently they don't bother with it on checkout, which implies the capability to debit it some days later than reading it. I should hope that works with a single-use token rather than storing the whole thing!
well then, if i was designing hotel POS systems, i’d
1. limit ID intake to strictly what’s _locally_ legally required.
2. upload to the relevant police db and delete
3. if 2 doesn’t exist, delete as soon as you reach end of locally legislated retention period.
fwiw, when I visit the US, it’s always just the CC# and car plate #. ditto within Canada. so that’s at least 2 countries not needing retention.
In Italy was also common that an hotel could actually register you *only* if you paid with a traceable mean - lot of cash still in use - and often the card reader was "not working", especially for foreign tourists - to evade taxes they could not register a lot of guests... (more common in small hotels, big groups probably less so). Now with counter-terrorism rules, it could have become riskier.
"burning the CC's and going cash only. No checks either."
The way things are going it'll be impossible to get hold of cash, at least in the UK. You can't get cash from your now-closed bank branch and you'll need a card to get cash out of an ATM. And that assumes the ATM network survives.
It's high time retention of banking licences was tied to meeting standards of accessibility and customer service with the required standards being notched up each year.
Nah! 500 million transactions, maybe, but not 500 million customers. Even if it's worldwide, I suspoect a lot are in the USA, and a fair proportion of the population there can't afford to stay in decent house, never mind a Marriot hotel. And I'm sure a lot of their customers tend to be regular repeat offenders, so probably only 50-100 million, i.e. less than Equifax. Pah! Piffling small change!
Since 2014 some of the cards will have expired so they'll be counting the originals and the replacements. Then there are customers with multiple cards. And some of the customers will have changed address or given a home address sometimes and a business address at others. Even if it's card plus address combinations rather than transactions there'll be a good deal of multiple counting of individuals going on.
Not that I don't already do it to a large extent online, but I'm starting to wonder why I don't just get black market new identities, just so when they get inevitably compromised, it's less upsetting.
Still. Happily not a Marriott customer, ever. When I contracted for IBM they did pay for a hotel once - oh, wait, Travelodge were already hit this past summer!
"Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014."
Unauthorised access for four years. The entire booking database with 500 million guest details in it but no one noticed anything.
Equifax were bitch slapped with a fine but these guys are going to be ass kicked.
*YAWN*
Que the standard "We'll pay for credit monitoring (by handing all your info to Equifax) for a year, and we take customer yada-yada seriously, also we have measures in place like not having the admin password '1234' to probably make sure this doesn't happen again; also since you used our website, you agreed to the T&C's, and individual arbitration, no class-action lawsuits, and so on. We strive for excellence and value our relationship with shareholders customers guests."
This is getting old...