Phantom Phone Calls
I get on average 4 calls a month automated voice mail claiming that as a Marriott (Sometimes WestJet) client, I have qualified for ............
I have usually dropped the phone connection by then.
US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …
....due to so many companies seeing IT as just an unnecessary expensive. I sat in the Pullman Hotel in London early in the year & while bored in my room just scanned the network. Surely such a business hotel would have at least wireless isolation on.
Nope!
Shocking.
I reported all the findings on Twitter to them while there. Granted, was only there a few days and during that time it was slowly being locked down after my reports, but how long had it not been? At one point there was access to one of the servers that controlled heating somewhere in the hotel or it was a reporting system, I can't quite remember. But it clearly hadn't been patched in years. You could even see their own office PCs on the network that all guests have access to.
I've seen some bad setups at small, family run lodge places which still shouldn't happen but more understandable but at a big chain and business hotel is unforgivable.
I now wonder if Pullman has ever had any breaches and just kept quiet or still not realised.
It opens:
'Marriott values our guests and understands the importance of protecting your personal information'
This must be a new policy.
'the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)'
So we can assume our passport numbers have been left in plaintext and are now in the hands of the PLA. Unlike credit cards it is hard to know if this data has been misused and not easy to get a free replacement if you suspect yours has been misused.
I wonder if Marriott fancies coughing up for half a billion new passports?