Marriott: Massive Data Breach May Put 500 Million Guests' Information at Risk

hawki · Nov 30, 2018

"Marriott International said Friday that it is working to resolve a massive data breach that could have affected as many as 500 million customers that could have included passport numbers and credit card details.

Marriott said the breach, which has been reported to law enforcement officials, was first alerted on September 8 and involved its Starwood guest reservation data base. On November 19, the company said, it determined there had been unauthorized access to the data going back to at least 2014..."

https://www.thestreet.com/investing...0-million-guests-information-at-risk-14796827

hawki · Nov 30, 2018

Marriott Press Release:

https://www.businesswire.com/news/home/20181130005123/en

According to a press release, Marriott believes the compromised database had information on up to 500 million guests who had made a reservation at a Starwood property.

The information compromised includes sensitive details including their passport numbers (for those who booked at foreign hotels) as well as name, date of birth, dates of their reservation, email address and mailing address. The infiltration dates back to at least September 2014 - before Starwood was purchased by Marriott - and continued through September of this year.

Payment card numbers and payment card expiration dates belonging to some of those affected were also stolen, but the payment card numbers were encrypted using Advanced Encryption Standard encryption.

hawki · Nov 30, 2018

"...An unspecified number of people also had their credit card information taken. It is encrypted, but Marriott said that the hackers may have taken the information needed to decrypt it..."

https://www.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11

hawki · Nov 30, 2018

Starwood brands include:

W Hotels
St. Regis
Sheraton Hotels & Resorts
Westin Hotels & Resorts
Element Hotels
Aloft Hotels
The Luxury Collection
Tribute Portfolio
Le Méridien Hotels & Resort
Four Points by Sheraton
Design Hotels

hawki · Nov 30, 2018

"...Marriott said that it had learned on Sept. 8 that an unauthorized party had access to its systems. But it was not able to decrypt what was stolen until Nov. 19..."

https://www.washingtonpost.com/busi...acting-million-guests/?utm_term=.fab605e7ad9a

Marriott evidently located the stolen data base that had been encrypted by the hacker.

hawki · Nov 30, 2018

"...Marriott’s carefully worded statement doesn’t identify who obtained access and how. That’s particularly troubling, as if this wasn’t a hack or full security breach then it could have been sloppy security that let anyone access this information and clone the database. That’s backed up by the fact Marriott reveals it discovered the database breach through a copied and encrypted version. Whether this copy is public, or for sale on the dark web, remains vague..."

https://www.theverge.com/2018/11/30/18119403/marriott-database-breach-starwood-hotels

hawki · Nov 30, 2018

"New York Attorney General opens investigation into Marriott data breach..."

https://twitter.com/NewYorkStateAG/status/1068510072396029952

Minimalist · Dec 2, 2018

What the Marriott Breach Says About Security

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
Click to expand...

https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/

guest · Dec 2, 2018

Marriott sued hours after announcing data breach
One class-action lawsuit is seeking $12.5 billion in damages
December 2, 2018
https://www.zdnet.com/article/marriott-sued-hours-after-announcing-data-breach/

Hours after announcing a data breach on Friday, two Oregon men sued international hotel chain Marriott for exposing their data. Their lawsuit was followed hours later by another one filed in the state of Maryland.

Both lawsuits are seeking class-action status. While plaintiffs in the Maryland lawsuit didn't specify the amount of damages they were seeking from Marriott, the plaintiffs in the Oregon lawsuit want $12.5 billion in costs and losses.

The two Oregon plaintiffs told a local newspaper, that they view the $25 as a minimum value for the time users will spend canceling credit cards due to the Marriott hack.
The Maryland lawsuit was filed by Baltimore law firm Murphy, Falcon & Murphy, according to a press release.
Click to expand...

ronjor · Dec 3, 2018

Massive Marriott Breach Underscores Risk of overlooking Data Liability

December 2, 2018 11:44 by Paul
The massive and years-long data breach affecting Marriott Hotels’ Starwood properties isn’t the largest corporate loss of data ever. (That honor goes to Yahoo!) Still, the theft of data on some 500 million individuals who stayed at Starwood properties shares one important characteristic with the likes of Yahoo!, MySpace, Equifax, Target and (ahem!) Adult Friendfinder: data liability.
Click to expand...

ronjor · Dec 3, 2018

Schumer Says Marriott Should Pay to Replace Hacked Passports

By Associated Press on December 03, 2018
Sen. Charles Schumer says Marriott hotel officials should pay for new passports for customers whose passport numbers were hacked as part of a massive data breach.
Click to expand...

guest · Dec 3, 2018

Marriott’s breach response is so bad, security experts are filling in the gaps — at their own expense
December 3, 2018
https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/

Last Friday, Marriott sent out millions of emails warning of a massive data breach [...] One problem: the email sender’s domain didn’t look like it came from Marriott at all.

Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, [...] In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.

But what makes matters worse is that the email is easily spoofable. People who think they’re at risk after a breach are more susceptible to being duped.

Take “email-marriot.com.” To the untrained eye, it looks like the legitimate domain — but many wouldn’t notice the misspelling.
Nick Carr, who works at security giant FireEye, registered the similarly named “email-mariott.com” on the day of the Marriott breach.
Click to expand...

ronjor · Dec 4, 2018

The Marriott data breach

December 4, 2018
by Seena Gressin Attorney, Division of Consumer & Business Education, FTC
The company set up an informational website, https://answers.kroll.com, and a call center, 877-273-9481, to answer questions. It says affected customers also can sign up for a year of free services that will monitor websites that criminals use to share people’s personal information. Marriott says the service will alert customers if their information shows up on the websites, and will also include fraud loss reimbursement and other services.
Click to expand...

hawki · Dec 6, 2018

"Clues in Marriott hack implicate China

(Reuters) - Hackers behind a massive breach at hotel group Marriott International Inc (MAR.O) left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter...

That suggests that Chinese hackers may have been behind a campaign designed to collect information for use in Beijing’s espionage efforts and not for financial gain, two of the sources said.

While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have previously been posted online...

Former senior FBI official Robert Anderson told Reuters that the Marriott case looked similar to hacks that the Chinese government was conducting in 2014 as part of its intelligence operations.

'Think of the depth of knowledge they could now have about travel habits or who happened to be in a certain city at the same time as another person,' said Anderson, who served as FBI executive assistant director until 2015...

Michael Sussmann, a former senior Department of Justice official for its computer crimes section, said that the long duration of the campaign was an indicator that the hackers were seeking data for intelligence and not information to use in cyber crime schemes..."

https://www.reuters.com/article/us-...tt-hack-implicate-china-sources-idUSKBN1O504D

ronjor · Dec 7, 2018

New Lawsuit Claims Marriott Still Exposes Customer Information

By Eduard Kovacs on December 07, 2018
A new class action filed against Marriott following the massive data breach alleges that the hotel giant’s systems are affected by a serious vulnerability that still exposes customer information.
Click to expand...

hawki · Dec 12, 2018

"U.S. investigators point to China in Marriott hack affecting 500 million guests

U.S. government investigators increasingly believe that Chinese state hackers were most likely responsible for the massive intrusion reported last month into Marriott’s Starwood chain hotel reservation system,...

Preliminary indications show the breach was executed by hackers affiliated with the Chinese Ministry of State Security, ...The MSS, an intelligence and security agency, has been behind many Chinese government intrusions into sensitive U.S. networks in recent years....

Some U.S. intelligence officials believe that the breach was conducted to enrich the massive Chinese data sets on U.S. and other citizens that have been amassed for years,...

The people familiar with the investigation said the Marriott breach involved the same cloud-hosting space that Chinese state hackers have used in the past, and that one signature technique that involved hopping among servers also points to Chinese involvement. Another clue suggesting nation-state involvement was that none of the breached data has appeared on the “dark Web” or any of the forums that criminals typically use to sell stolen credentials and other valuable personal data..."

https://www.washingtonpost.com/tech...ing-million-travelers/?utm_term=.ad8589dc15ba

guest · Jan 4, 2019

Marriott says 25 million passport numbers, some unencrypted, involved in massive breach
January 4, 2019
https://www.cyberscoop.com/marriott-breach-passport-numbers-revision/

Marriott International said Friday that 383 million customer records were stolen in a data breach last month, down from the hotel chain’s original estimate of 500 million.

Some 5.25 million of the 25.5 million passports numbers were stored in plain text, Marriott said Friday, providing hackers with a valuable means of stealing individuals’ identities.
The company also said it believes that approximately 8.6 million encrypted payment cards were involved in the attack.

The roughly 383 million customer files is the “upper limit” of the total number of records involved in the breach, Marriott said.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns [...]"
Click to expand...

Marriot News Center: Marriott Provides Update on Starwood Database Security Incident

guest · Jan 12, 2019

Marriott Faces Sprawling Class-Action Lawsuit Over Hotel Reservation Data Breach
January 11, 2019
https://gizmodo.com/marriott-faces-massive-class-action-lawsuit-over-hotel-1831686560

The suit, brought by more than 150 past hotel guests, according to Vox, is at least the second to surface since the breach was disclosed in late November.

Filed in Maryland federal district court on January 9, the massive suit includes plaintiffs in dozens of states where it alleges laws were violated. It accused Marriott of involvement in “deceptive, unconscionable, and substantially injurious practices.”
The breach of Marriott’s Starwood reservation system is one of the largest in recent history, potentially dwarfing the 2017 Equifax incident by more than a hundred million victims.
Click to expand...

ronjor · Jan 12, 2019

Encryption: Avoiding the Pitfalls That Can Lead to Breaches

Analysis of Common Mistakes Made When Encrypting Data Suparna Goswami (gsuparna) • January 8, 2019
The Marriott mega-breach is calling attention to the issues of whether organizations are storing too much data and whether they're adequately protecting it with the proper encryption steps.
Click to expand...

dogbite · Feb 15, 2019

I am in.
Got a Starwood email saying that my personal details were involved in that breach. I have asked if they could know which kind of data were exposed.
After some weeks they replied, it seems that passport number (this was my first worry) and credit card number were not exposed, however all other details were.

Based on the Email Address you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:

Name

Address Information

Primary Email Address

Primary Phone Number

Other Phone Information

Passport Issuing Country

Starwood Preferred Guest (SPG) Number

Starwood Preferred Guest (SPG) Loyalty Status and Balances

Starwood Executive Traveler Number

Guest Opt-In Preferences

Email Communication Preferences

Central Starwood Unique Record Locator

Employed at Starwood (Y/N)

Record History Information

Click to expand...

guest · Feb 15, 2019

Marriott now lets you check if you’re a victim of the Starwood hack
February 15, 2019
https://techcrunch.com/2019/02/15/marriott-starwood-hack-check/

Hotel chain giant Marriott will now let you check if you’re a victim of the Starwood hack.

The company confirmed to TechCrunch that it has put in place “a mechanism to enable guests to look up individual passport numbers to see if they were included in the set of unencrypted passport numbers.” That follows a statement last month from the company confirming that five million unencrypted passport numbers were stolen in the data breach last year.

The checker, hosted by security firm OneTrust, will ask for some personal information, like your name, email address, as well as the last six-digits of your passport number.
Opening up the checker to the wider public is a bright spot in what’s been a fairly atrocious incident recovery by Marriott since the breach.
Click to expand...

guest · Mar 4, 2019

Data Breach Cost Marriott $28 Million So Far
March 4, 2019
https://www.securityweek.com/data-breach-cost-marriott-28-million-so-far

According to Marriott, $25 million of the $28 million expenses incurred as a result of the security incident has been covered by insurance.

During an earnings call, Arne Sorenson, CEO and president of Marriott, said there had not been any RevPAR (revenue per available room) impact from the breach and it does not appear that customer loyalty has been affected.
He also noted that the number of calls received by Marriott’s dedicated call centers dropped from roughly 40,000 in December to less than 3,000 in February.

Sorenson said the forensic investigation into this incident has been completed. American Express reported that there had not been any spike in credit card fraud as a result of the breach.
Click to expand...

guest · Mar 7, 2019

Marriott CEO apologizes for data breach, unsure if China responsible
March 7, 2019
https://www.reuters.com/article/us-...ach-unsure-if-china-responsible-idUSKCN1QO217

Marriott International Inc Chief Executive Arne Sorenson apologized on Thursday before a U.S. Senate panel for a massive data breach involving up to 383 million guests in its Starwood hotels reservation system and vowed to protect against future attacks.

Sorenson told the Senate Permanent Subcommittee on Investigations that the hacking, which occurred over a four-year period, that he did not know if China was behind the hacking attempt but said it was fully cooperating with the FBI, which is trying to determine who was responsible.
“The short answer is we don’t know,” Sorenson said. “We’ve simply been focused on making sure the door is closed.”
Click to expand...

guest · May 3, 2019

$100-million class action lawsuit filed in Calgary over Marriott Hotels data breach
May 3, 2019
https://calgarysun.com/news/local-n...d-in-calgary-over-marriott-hotels-data-breach

The massive data hack of guest information from the Marriott hotel empire has triggered a $100-million class action lawsuit in Calgary.
“The defendants knew or ought to have known that their databases were vulnerable to loss or theft,” says the claim, filed by Calgary lawyer Clint Docken and Edmonton counsel James Brown.

The lawsuit claims, among other things, Marriott didn’t utilize up-to-date security systems to protect its clientele.
“The defendants breached their duty of care by using dated security measures that failed to detect the security breaches as they happened and failing to notice the breaches for over four years.”
Click to expand...

guest · May 13, 2019

Did Marriott bloat Australia’s official data breach numbers?
New +10 million Aussie victims increment launched
May 13, 2019
https://www.itnews.com.au/news/did-marriott-bloat-australias-official-data-breach-numbers-525053

The gargantuan Marriott customer data hack that hit around 500 million people globally at the end of 2018 appears to have substantially swollen the Office of the Australian Information Commissioner’s quarterly data release after a single notification accounted for more than 10 million affected Australians.

The OAIC on Monday was forced to lift the ceiling of its regular statistical table, adding a new increment of +10 million Australian to its quarterly catalog of corporate woe that had previously topped out at 1,000, 000 to 10,000,000.
In what could be a worrying sign for the future, the OAIC hasn’t put an upper-range on its top number, confining it simply to the “10,000,001 or more” range.

Information security sources contacted by iTnews said they were not aware of credible alternative explanations for the leap in affected individuals in Australia, noting that international companies operating in Australia were bound by reporting and privacy laws here.
Click to expand...

Log in or Sign up

Marriott: Massive Data Breach May Put 500 Million Guests' Information at Risk

hawki Registered Member

hawki Registered Member

hawki Registered Member

hawki Registered Member

hawki Registered Member

hawki Registered Member

hawki Registered Member

Minimalist Registered Member

guest Guest

ronjor Global Moderator

ronjor Global Moderator

guest Guest

ronjor Global Moderator

hawki Registered Member

ronjor Global Moderator

hawki Registered Member

guest Guest

guest Guest

ronjor Global Moderator

dogbite Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Marriott: Massive Data Breach May Put 500 Million Guests' Information at Risk

hawki Registered Member

hawki Registered Member

hawki Registered Member

hawki Registered Member

hawki Registered Member

hawki Registered Member

hawki Registered Member

Minimalist Registered Member

guest Guest

ronjor Global Moderator

ronjor Global Moderator

guest Guest

ronjor Global Moderator

hawki Registered Member

ronjor Global Moderator

hawki Registered Member

guest Guest

guest Guest

ronjor Global Moderator

dogbite Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches