back to article Marriott's Starwood hotels mega-hack: Half a BILLION guests' deets exposed over 4 years

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …

  1. Anonymous Coward
    Anonymous Coward

    Equifax, 143 Million

    Lest we forget.

    1. Anonymous Coward
      Anonymous Coward

      Re: Equifax, 143 Million

      Is this breach soley in the states or is it going to involve some European action??

      1. Empire of the Pussycat

        Re: Equifax, 143 Million

        it's global

        if you used a spg hotel 2014- i'd assume your data are in there

      2. katrinab Silver badge

        Re: Equifax, 143 Million

        Le Méridien Piccadilly in London is one of the hotels affected. Also, Europeans do visit the USA.

  2. Craigie

    Card numbers

    Remind me again why card numbers aren't all single-use and virtual yet?

    1. heyrick Silver badge

      Re: Card numbers

      Probably too much bother to implement widely. Some banks offer it, most don't seem to...

      1. heyrick Silver badge

        Re: Card numbers

        Reply to my reply to add that I wanted to geoblock my card to only work on this continent. The website says to go to the branch. The staff at the branch had ZERO idea, and suggested something entirely different. Duh.

        1. wyatt

          Re: Card numbers

          I've done the opposite before, flag that the card is going out of the UK. It'd be useful to put blocks in place as well.

          1. Pen-y-gors

            Re: Card numbers

            @wyatt

            I've done the opposite before, flag that the card is going out of the UK.

            It must be 10 years ago that I visited Chile. After a couple of days tried to use my debit card to withdraw cash - nope! Seconds later got a text from the bank telling me about it and saying to reply to unblock.

            Had similar texts (but not blocks) when I used Lloyds CC to order stuff directly from a shop in Santiago. "Was this you? If not phone...."

            But yes, why does anyone need to store CC numbers once the transaction has been verified - or even before if you use a portal like Paypal?

            1. Yet Another Anonymous coward Silver badge

              Re: Card numbers

              >But yes, why does anyone need to store CC numbers once the transaction has been verified

              Hotels get a special PCI exemption (like car rental), otherwise they would need your card when you book to take a deposit, you queue again at checkin to pay, then you queue at checkout to pay for any other charges.

              People don't like queuing and the majority of hotels in the USA are booked on business trips so nobody cares if the card is ripped off

        2. Anonymous Coward
          Anonymous Coward

          Re: Card numbers

          After working in banking for four years and moved on from that horror show, I can confirm that nearly every major bank does have this feature

          . Pretty much depending on who you bank with will determine which department you contact. I know that during banking hours 9am - 5pm ish you can speak to debit card fraud prevention and they will be able to add this feature, however depending on the agent you get will depend on whether or not they implement it. I know that's not the most useful answer but its pretty accurate.

    2. Graham 32

      Re: Card numbers

      Is there anyone in the UK that does this? (I think Cahoot used to but long since stopped) I'd like it so I don't have to phone insurance companies every year to tell them I don't want to auto-renew.

      1. gryphon

        Re: Card numbers

        Revolut do disposable virtual debit cards with a premium subscription. £7 pm I think.

        Probably similar banks do as well.

        They've also got a location based security, do / don't allow contactless or internet purchase and freeze card options with their standard service.

        I do remember seeing Barclays advertising at least the freeze card option.

        So called 'challenger' banks are probably more likely to offer these features than the big boys as a differentiator.

        Personally I started using Revolut because it allows me to do commission free foreign transfers at the interbank rate but YMMV.

        1. Anonymous Coward
          Anonymous Coward

          Re: Card numbers

          "Revolut do disposable virtual debit cards with a premium subscription. £7 pm I think."

          My key problem with with Revolut is there appear to be very high levels of Russian links at senior levels.

          1. fnusnu

            Re: Card numbers

            My key problem with REvolut is this:

            3.4. When we hold Electronic Money for you, us holding the funds corresponding to the Electronic Money is not the same as a Bank holding money for you in that: […] © your Electronic Money is not covered by the Financial Services Compensation Scheme.

            1. Moog42

              Re: Card numbers

              FSCS doesn't cover any form of electronic money, makes me nervous of even my £12.50 delay repay payment from Virgin Trains...

          2. Anonymous Coward
            Anonymous Coward

            Re: Card numbers

            Monzo and Starlight are two alternatives that have Western Corruption instead of Russian ;).

      2. katrinab Silver badge

        Re: Card numbers

        Revolut I think offers it, but it is a prepaid card, so no S75 protection.

      3. Tomato Krill

        Re: Card numbers

        Revolut

      4. Graeme Carstairs

        Re: Card numbers

        Revolut offer disposable virtual cards. on their premium services or a normal virtual card on their standard services.

      5. Efer Brick

        Re: Card numbers

        Revolut

    3. GnuTzu

      Re: Card numbers

      This put a few thoughts in my head. I've done PCI in the restaurant industry, and credit card numbers never need to be stored there. But, do I understand correctly that hotels keep numbers on file for ongoing charges and a hedge against guests who might take off without paying? That's a major challenge. Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel. That way the hotel can deal with ongoing charges without storing a card number that could potentially be used by anybody. But, given the time it took to get chips in the states, I imagine this won't happen over night.

      1. Anonymous Coward
        Anonymous Coward

        Re: Card numbers

        Well Mariott use The Opera property management system which is now owned by Oracle.

        They were also one of the first to sign up to using it in the Oracle Cloud. Therefore there should not be a customer database that would locally be accessible to anyone.

        The Opera system can also utilise the Oracle Payment Interface (OPI). This does allow modern fully tokenised credit card support, however this has only been available for a short time and would not be the default with this service.

        Opera also has a number of APIs that allow you to retrieve and download customer data and can download CC data that isn't tokenised.

        So maybe they were polling the data down from the cloud into a separate db, maybe their web service was copying the data to an internal db when it was making the booking.

        Marriott have said "We also do a lot of research on transactional data to understand the value of getting an additional point of conversion through a new medium and what helps to drive that conversion. Based on what the data shows us and what customers are telling us, we try to marry the two together to reach informed decisions about the business."

        So it would seem they like to pull data into a centralised analytics system of some kind.

        Hopefully it won't be Oracle's cloud which has had issues!

        1. Anonymous Coward
          Anonymous Coward

          Re: Card numbers

          Actually I can see that Sharwood may well be on a different system to Marriott so they probably have a local db and system.

        2. StuntMisanthrope

          Re: Card numbers

          If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality nor Opera which is Java and Opera Cloud v1 isn't widespread in general except for the fleet and test-beds, plus the acquisition was a couple of years later. It sounds to me like its loyalty related, though I'm not familiar with their architecture other than common knowledge.

          1. StuntMisanthrope

            Re: Card numbers

            This is also one of the reasons, Larry has been banging on about for good reason, Cloud v2 and bare metal because of the numbers involved etc...

          2. Anonymous Coward
            Anonymous Coward

            Re: Card numbers

            If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality ....

            But what about the acquired businesses that Oracle borged? In particular, Micros, who were an EPOS and hospitality specialist, and themselves a product of the horrible "snowball acquisition" model that afflict ERP and EPOS vendors.

        3. Mr. Flibble

          Re: Card numbers

          1. Not all hotels have Opera cloudy servers. Some are still physically at the hotel.

          2. It's quite possible that they breached "Valhalla", their back-end reservations database. This is probably why it is limited to Starwood hotels and not the whole group, as Marriott use a different system.

        4. johnboy1

          Re: Card numbers

          No, it's not Opera.

      2. richardcox13

        Re: Card numbers

        > Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel.

        Just like the APIs that most card processors provide, and have done for years?

        When that ecommerce site offers to save your payment details, this is what should be used. There is no need to hold details (beyond a few masked digits so customers can recognise which card has been saved).

        (Might be all card processors for all I know, certainly the APIs I've used all have this option.)

        1. Anonymous Coward
          Anonymous Coward

          Re: Card numbers

          "Just like the APIs that most card processors provide, and have done for years?"

          There's a little bit more to it than that. Fine if you are just creating an e-commerce website but dealing with a full fat property management system that is interlinked with multiple third party system, then the payment service provider is just a small chink in the chain. There are multiple factors involved with running full tokenisation, including the requirement for a hotel's special allowance to do long term deposits, card authorisations and end-of-day re-authorisations (once again across multiple systems from different suppliers).

          SO the API that allowed it for Opera (which Marriott uses AFAIK) has only become properly available in proper way since the Oracle Payment Interface and API became available to use this year. Even then it only works with a PSP and that supports it, and they in turn have to support your PED and both of them have to support your Acquirer, which also have to support your bank. If you have legacy suppliers it gets a bit harder.

          1. robidy

            Re: Card numbers

            That's exactly why innovative startups succeed in all industries...a defence of the status quo as opposed to a drive for positive improvement.

            You can change and improve if you want to.

            You can have multiple accounts so you can do an orderly transition...heck acquirers will give you a temp account to help with the transition...you just have to ask for one.

      3. Anonymous Coward
        Anonymous Coward

        Re: Card numbers

        What you want is something like a kerberos ticket: a token which proves you've seen the card and which gives you some rights (like taking money from the card up to some limit) for a finite time, beyon which it becomes valueless.

        From other replies it looks as if these do exist?

    4. Ian Michael Gumby
      Boffin

      @Craigie Re: Card numbers

      Actually there is a product you can get for online purchases.

      The other thing that there is a company that tokenizes the CC details so that companies like Marriot doesn't store the CC # and stuff.

      There's more, but the real problem is that we have the Mongol horde of programmers who really don't know what they are doing behind the scenes. (Or you could use Vandals too ... )

  3. Md_pepa

    Fines

    Lets hope the EU based regulators get a decent slice of the pie first, instead of the typical bank robberies we see from regulators over the pond.

    Amusing if it was just “Royal Concierge”, the GCHQ program.

  4. Graham 32

    email-marriott.com

    email-marriott.com? Really? That looks like a scam from the get go.

    1. steamdesk_ross

      Re: email-marriott.com

      Maybe they can't safely publish pages on marriott.com at the moment... Just a thought.

  5. Nick

    Kroll

    Has anyone tried to register with Kroll? The registration failed for me with an error and now retrying the process tells me that my email is already registered, but password recovery says I don't exist.

    This doesn't make me feel more secure.

    1. Empire of the Pussycat

      Re: Kroll

      worked for me, though i did it before the el reg posting, even then it was quite a while before i saw a confirmation email

      as the news spreads i'd think more and more people will be registering and it'll get slower or maybe have a wobbly

      1. Nick

        Re: Kroll

        Thanks for the feedback - I've now received my email, to the correct address, but the website still claims that my email is invalid.

        I've spoken to a very nice man on the helpline who admitted that he's only there to handle to calls, he has nothing more he can do for me apart from pass it on to tech support.

        sigh

    2. Anonymous Coward
      Anonymous Coward

      Re: Kroll

      The ones who were hacked by Telecom Italia rogue hacker group some years ago?

      Hope they improved their security as well...

  6. StuntMisanthrope

    Data protection laws of world.

    It’s hefty and you’ll need a couple of reams of paper.

    To save you the trouble. In my opinion we need a global legal API (!?) framework.

    If you know your PCI and loyalty there’s big gaps continent wise and there also needs to be a discussion about geo-location silo-ing, escrow, times expiry and mega-data policy. #whatsyourvectorvictor

    1. StuntMisanthrope

      Re: Data protection laws of world.

      Forgot to mention or leverage. I’d also like to see true zero loss financial data anonymisation with credit validation by encrypted checksum.

    2. Pascal Monett Silver badge

      Re: Data protection laws of world.

      You're absolutely right. This situation is ridiculous - let's create a new standard.

      1. StuntMisanthrope

        Re: Data protection laws of world.

        Tweet the G20, that's what you're here for. Not a new standard either. China and Africa are mag-stripe and the states are somewhere in between. If you've travelled through the middle with foreign cards, it's a lottery whether, POS, ATM or ePOS works anyway. This is why I moan about banking etc... #quellesurprise #enthalpyoscillation

  7. monty75
    FAIL

    Intruder in their network since 2014. Monitoring system noticed it in September 2018. Had someone forgotten to switch it on for four years?

    1. cbars Bronze badge

      or they only built it thus year. hmmm, what could have prompted that new found interest in the processing of personal info. Some companies just Genuinely Don't Perceive Risk, and sometimes they do, but only once it's too late.

    2. steviebuk Silver badge

      Possibly had someone in charge who didn't want to pay out for IT security. And now has someone who finally did want to pay out.

      1. Anonymous Coward
        Anonymous Coward

        @steviebuk

        So obviously all the losses from this are on the new guy, right?

        "If we never looked, we'd never know we were breached."

    3. adgec

      They meant to say 'recently purchased monitoring system which their IT team had been requesting for 4 years and only recently got signed off when they stuck the letters G,D,P and R in their business case'

    4. Pen-y-gors

      @monty75

      Or possibly it was upgraded in Sept 18 to report additional types of activity as being suspicious. We shouldn't always assume the worst. Which of us has never upgraded software to make things better?

      1. Anonymous Coward
        Anonymous Coward

        Greed of the thief.

        A thief will always get caught eventually. It just depends on the escalation rate. Perhaps they wanted a little more than could get past the checks and balances?

      2. Doctor Syntax Silver badge
        Unhappy

        "Which of us has never upgraded software to make things better?"

        And which of us has never upgraded software and found it made things worse?

    5. Yet Another Anonymous coward Silver badge

      The monitoring system didn't even notice - they only investigated when they found marriot-hack.tgz on a torrent site

  8. Electricity_Guy

    Being fair to Marriott

    Marriott can't be held wholly responsible, they only acquired Starwood in 2016, this hack seems to pre-date that. Still shit if you had your card deets swiped though.

    1. Peter X

      Re: Being fair to Marriott

      they only acquired Starwood in 2016, this hack seems to pre-date that

      I believe the hack has been on-going since 2014, so possibly someone should've noticed at some point since?

    2. Anonymous Coward
      Anonymous Coward

      Re: Being fair to Marriott

      Details of half a billion customer is arguably worth more that the bricks and mortar.

      Due Diligence...perhaps a pentest pre acquisition...then there is the two years since they bought it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Being fair to Marriott

        “Due Diligence...perhaps a pentest pre acquisition...then there is the two years since they bought it.“

        I suspect this maybe a case of a large, decentralised infrastructure - it could be as simple as a long forgotten dial up connection that was used for support in the distant past.

        Comprehensively testing for that type of flaw can be challenging and easily overlooked in the midst of cost cutting, staff changes and an acquisition.

      2. Stoneshop
        Holmes

        Re: Being fair to Marriott

        Details of half a billion customer

        Half a billion customer records. Though with multiple records per customer that would still amount to at least several tens of million customers.

        1. veti Silver badge

          Re: Being fair to Marriott

          I thought that. I find it very hard to believe that anything remotely like half a billion separate people go anywhere near a Marriot hotel in any given five year period.

          I mean, that's pretty close to the entire population of Europe and the USA combined. Including children. It doesn't pass the laugh test.

  9. ISYS

    Just wondering

    Don't get me wrong these breaches are bad news but I was just wondering how many people have had real money stolen or an increase in spam because one of them?

    I'm not saying these companies don't deserve everything they get in the way of fines etc I was just wondering what happens to the data.

    1. batfink

      Re: Just wondering

      My card details got into the wild after the British Airways hack, and rogue transactions started to hit in < 24 hours. Fortunately my bank was on top of it (and yes I had notified them) and I think between us we caught all of the dodgy ones. So, yes it's very possible people lose "real money" from these breaches. I was lucky, and was paying attention.

      As an aside: unfortunately this (and the subsequent card cancellation) hit exactly at the time I was trying to use the card to pay for a car hire in Italy, which added an extra layer of entertainment to the usual Italian car-hire circus.

      1. ISYS

        Re: Just wondering

        Glad it worked out well (in the end) for you. Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones. Not difficult to do. I know this won't be convenient for everyone right now but as time goes on it seems to be the way to go.

        1. A.P. Veening Silver badge

          Re: Just wondering

          " Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones."

          For your information, my bank has been doing it for a couple of months now.

          1. yoganmahew

            Re: Just wondering

            "Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones."

            Ha! I'll see your one-time pad and raise you contactless.

            Then I'll raise you signatures in the US...

            Then I'll raise you adding the tip in after you've signed the bill...

        2. File Not Found

          Out in the wild

          MFA which relies on a steady cellphone signal - not available out here in rural Suffolk UK, and already causing some gritting of the teeth, as these little details seem to escape MFA activists. Just sayin.

  10. Anonymous Coward
    Anonymous Coward

    "There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken."

    That is more likely to be a split key, as per PCI-DSS req 3.6.6.

  11. TheInnerPartSystem

    Homewrecker

    With 500 million records I can see the following scene playing out in multiple homes...

    Letter arrives - "Dear Sir, regarding your stay at our Las Vegas hotel in March 21 2018...."

    Wife - "Hey honey, wasn't that the same weekend as your work conference in Minnesota?...."

    1. Tom 38

      Re: Homewrecker

      Is it weird I'd rather go to Minnesota?

      1. The Oncoming Scorn Silver badge
        Coat

        Re: Homewrecker

        Northern Minnesota is actually quite nice & I drove from from MSP up to & into Canada some years back, I don't think I enjoyed the drive up from Chicago back to MSP on the same trip around the Great Lakes (But the weather had turned it was wet\sleet) & the views weren't as great in the south, to the best of my recall.

  12. Efer Brick

    I have my reservations...

    Or, rather they do!

  13. Kev99 Silver badge

    Okay people. We're going to store our most sensitive information in those paper bags. You know, the ones we got when we bought our groceries. Yup, so what is a net is just a bunch of holes held together by string or a cloud is just a bunch of holes held together by vapor. It's free!!

  14. DerekCurrie
    Alert

    Target, 78 Million

    ...Despite repeated warnings and indicators from both outside and inside the company.

  15. Anonymous Coward
    Anonymous Coward

    Remind me

    Why they need *all* the details once payment has been processed.

    1. Mr. Flibble

      Re: Remind me

      Because you could have legged with with all the bathrobes/been smoking in a non-smoking room/trashed the place.

      None of this will be found until hours after checkout when housekeeping goes round to clean rooms etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Remind me

        I think the point was "why do they still need my card details from my stay in 2014".

        SPG hotels tend to have housekeeping in every day rather than ever 4 years.

  16. Graham Butler

    Address AND reservation date? Wonder if there's any correlation with burglaries....

    1. Anonymous Coward
      Anonymous Coward

      Address and reservation date

      There's hardly ever any crossover between virtual and physical crime. They'd have to get this information in real time and have a nationwide network of burglars on call to monetize that. Even the mob wouldn't be able to do that these days.

      Most likely the hackers are halfway around the world, and could care less about knowing when I'm out of my house for a few days.

  17. Pascal Monett Silver badge
    Trollface

    "exposed the entire database"

    You've got to hand it to Marriot - they don't do things halfway.

  18. JLV

    Might not be as big as Yahoo! but that info seems a lot more identity-theftable. CC# are easy: just get a new one, the rest is not.

    Are passport and DOBs # globally mandated for storage? I know France had police-requested guest registration info for a while, maybe still does. But most of the time now CC# and license plate is all that’s needed. DOB? Why?

    Security 101: if you don’t store it, it can’t be hacked.

    1. Peter X

      Security 101: if you don’t store it, it can’t be hacked.

      I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability* to them and they should delete what they can as soon as they can. If someone hasn't purchased from you in that last 6 months (and you're not an automatic repeat biller), then probably best to delete the card number... it's not like you're saving the customer loads of time re-entering it when they hardly order from you anyway.

      * previously it made sense to hoard as much data as possible. With GDPR the mining potential is limited because you're not allow to exploit it easily, and obviously, with GDPR, data loss can = financial loss.

      1. Doctor Syntax Silver badge

        "I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability"

        You're quite right but it's not easy to break the habits of a lifetime. It doesn't help that for a lot of management bods the desire to hoard and exploit data is part of their personality; it's what got them into those roles. It's probably going to take a few fines on a scale prompted by intent to make an example of the a few miscreants before the message gets through. And then a few more top tier fines on a few businesses who try to cover up to get that message through as well.

    2. ElReg!comments!Pierre

      I know France had police-requested guest registration

      Always had, still have, although there ARE ways to slip through if you really want to. Most countries have similar requirements, especially for foreigners. I can't remember registering in in a hotel in the Americas, Europe, Asia or Africa without providing a piece of ID (or a couple of locally-tradable pieces of paper-money, which I tend not to do, out of principle)

    3. Mr. Flibble

      police-requested guest registration

      Italy does this too, but they only get transferred from the hotel systems "on request".

      1. Nick Kew

        Re: police-requested guest registration

        Most countries seem to be a bit random IME. I've had hotels in Blighty, as well as various other countries in Europe and elsewhere, ask for my passport or comparable ID. And others that take a more relaxed attitude.

        They do all seem to want a creditcard on booking and checkin. And recently they don't bother with it on checkout, which implies the capability to debit it some days later than reading it. I should hope that works with a single-use token rather than storing the whole thing!

      2. JLV

        Re: police-requested guest registration

        well then, if i was designing hotel POS systems, i’d

        1. limit ID intake to strictly what’s _locally_ legally required.

        2. upload to the relevant police db and delete

        3. if 2 doesn’t exist, delete as soon as you reach end of locally legislated retention period.

        fwiw, when I visit the US, it’s always just the CC# and car plate #. ditto within Canada. so that’s at least 2 countries not needing retention.

      3. Anonymous Coward
        Anonymous Coward

        "they only get transferred from the hotel systems "on request"

        In Italy was also common that an hotel could actually register you *only* if you paid with a traceable mean - lot of cash still in use - and often the card reader was "not working", especially for foreign tourists - to evade taxes they could not register a lot of guests... (more common in small hotels, big groups probably less so). Now with counter-terrorism rules, it could have become riskier.

  19. Mark 85

    I'm giving some thought to burning the CC's and going cash only. No checks either. These are scary times indeed. But that may be just a knee jerk reaction to all the breeches lately. Seems we can't trust anyone any more.

    1. alexdonald

      Knee jerk... Breeches... Haha

      (That was deliberate, right?)

    2. Doctor Syntax Silver badge

      "burning the CC's and going cash only. No checks either."

      The way things are going it'll be impossible to get hold of cash, at least in the UK. You can't get cash from your now-closed bank branch and you'll need a card to get cash out of an ATM. And that assumes the ATM network survives.

      It's high time retention of banking licences was tied to meeting standards of accessibility and customer service with the required standards being notched up each year.

  20. neilas

    Half a billion customers? They wish? The world population is only 7.5 billion, so Marriot have one fourteenth of the world as registered clients do they?

  21. Pen-y-gors

    500 million?

    Nah! 500 million transactions, maybe, but not 500 million customers. Even if it's worldwide, I suspoect a lot are in the USA, and a fair proportion of the population there can't afford to stay in decent house, never mind a Marriot hotel. And I'm sure a lot of their customers tend to be regular repeat offenders, so probably only 50-100 million, i.e. less than Equifax. Pah! Piffling small change!

    1. Doctor Syntax Silver badge

      Re: 500 million?

      Since 2014 some of the cards will have expired so they'll be counting the originals and the replacements. Then there are customers with multiple cards. And some of the customers will have changed address or given a home address sometimes and a business address at others. Even if it's card plus address combinations rather than transactions there'll be a good deal of multiple counting of individuals going on.

  22. Wolfclaw

    This will be expensive !

  23. MrMerrymaker

    Data Shmata

    Not that I don't already do it to a large extent online, but I'm starting to wonder why I don't just get black market new identities, just so when they get inevitably compromised, it's less upsetting.

    Still. Happily not a Marriott customer, ever. When I contracted for IBM they did pay for a hotel once - oh, wait, Travelodge were already hit this past summer!

    1. the Jim bloke
      Trollface

      Re: Data Shmata

      "Not that I don't already do it to a large extent online, but I'm starting to wonder why I don't just get black market new identities"

      Half a billion fresh ones now available.

  24. adam payne

    "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014."

    Unauthorised access for four years. The entire booking database with 500 million guest details in it but no one noticed anything.

    Equifax were bitch slapped with a fine but these guys are going to be ass kicked.

  25. Michael Jarve
    FAIL

    *YAWN*

    Que the standard "We'll pay for credit monitoring (by handing all your info to Equifax) for a year, and we take customer yada-yada seriously, also we have measures in place like not having the admin password '1234' to probably make sure this doesn't happen again; also since you used our website, you agreed to the T&C's, and individual arbitration, no class-action lawsuits, and so on. We strive for excellence and value our relationship with shareholders customers guests."

    This is getting old...

    1. Doctor Syntax Silver badge

      "since you used our website, you agreed to the T&C's"

      It probably depends on jurisdiction but statute law as to consumer rights overrides contract law.

  26. Anonymous Coward
    Anonymous Coward

    Marriott's Starwood hotels mega-hack:

    Any idea as to the technical nature of the hack?

  27. The Oncoming Scorn Silver badge
    Stop

    Phantom Phone Calls

    I get on average 4 calls a month automated voice mail claiming that as a Marriott (Sometimes WestJet) client, I have qualified for ............

    I have usually dropped the phone connection by then.

  28. Anonymous Coward
    Anonymous Coward

    And we thought our boss was just stingy

    Now I know why he only pays for camp site accommodation when we travel....

    So far Kampgrounds of America haven't been targeted.

  29. XSV1
    Mushroom

    Au revoir Marriott!

    Oh bugger. I have stayed in sodding Marriott hotels all around the planet. Their patently crap attitude to security really pisses me off.

    No more Marriott hotels for me!

  30. greenwood-IT
    Facepalm

    It's ok...

    It's ok, the hackers got the "communication preferences" data - I selected the "no email" option.

  31. Anonymous Coward
    Anonymous Coward

    This will continue to happen....

    ....due to so many companies seeing IT as just an unnecessary expensive. I sat in the Pullman Hotel in London early in the year & while bored in my room just scanned the network. Surely such a business hotel would have at least wireless isolation on.

    Nope!

    Shocking.

    I reported all the findings on Twitter to them while there. Granted, was only there a few days and during that time it was slowly being locked down after my reports, but how long had it not been? At one point there was access to one of the servers that controlled heating somewhere in the hotel or it was a reporting system, I can't quite remember. But it clearly hadn't been patched in years. You could even see their own office PCs on the network that all guests have access to.

    I've seen some bad setups at small, family run lodge places which still shouldn't happen but more understandable but at a big chain and business hotel is unforgivable.

    I now wonder if Pullman has ever had any breaches and just kept quiet or still not realised.

  32. Anonymous Coward
    Anonymous Coward

    Just had my Marriott email

    It opens:

    'Marriott values our guests and understands the importance of protecting your personal information'

    This must be a new policy.

    'the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)'

    So we can assume our passport numbers have been left in plaintext and are now in the hands of the PLA. Unlike credit cards it is hard to know if this data has been misused and not easy to get a free replacement if you suspect yours has been misused.

    I wonder if Marriott fancies coughing up for half a billion new passports?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon