[merged] Marriot's Starwood Hotel reservation database has been hacked

[mdurette]

Passport number is yuuuuuge, y'all. I'm sure they "deeply regret" it; the depth of their regret will be proportional to the depths that their stock prices sinks today and Monday. Talk about releasing this news on Take Out the Trash day....

I haven’t traveled much out of the country, but when we have I don’t recall ever having to give my hotel my passport number. Is this normal protocol?

 

[VacationForever]

The only place that we have had to submit a copy of our passports was Westin Lagunamar. I wonder if they scanned the images into the system.

 

[tombanjo]

Many foreign countries ask hotels to get a copy of passports of non-citizens staying there.

 

[Karen G]

Has anyone here ever been affected by a breach of this type? There have been other big data breaches but I haven't really heard stories of victims of such a breach.

 

[tombanjo]

500 million emails addresses to send spam to is worth something on the darkweb.

 

[breezez]

Maybe that’s what happened to my 500 million SPG Points. I should call and say I want them back.

 

[VegasBella]

These things keep happening. As consumers, there's not much we can do about it. We just become victims over and over.

 

[bbodb1]

I haven’t traveled much out of the country, but when we have I don’t recall ever having to give my hotel my passport number. Is this normal protocol?

A person is required to show id at check in and a passport is accepted for this purpose according to a story I heard yesterday.

 

[bbodb1]

Has anyone here ever been affected by a breach of this type? There have been other big data breaches but I haven't really heard stories of victims of such a breach.

Karen,

It is likely we all have given the number of breaches that have already occurred (not just this one, but several other breaches of recent memory - Target and Equiax come to my mind - but there are far too many others).. To your point though, yes, I have had attempts to open accounts in my name with stores I have never shopped in areas of the country I have never been. That is one aspect of what makes a breach of data so serious - the problems do NOT necessarily start soon after the breach. It may be weeks, months even years before some data is used - long after the sensationalism of the story itself fades.

I watch my credit info religiously - perhaps too much so I suppose - because of the potential for unauthorized use. I hate to say it, but it is what one has to do these days.

Fortunately, I caught the unauthorized activity early on so it was not much of a problem to deal with but it did take time.

 

[TXTortoise]

Probably a good time to remind folks about this...

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

 

[klpca]

Were timeshare stays reflected on the SPG site? If not, I feel somewhat safe.

I've stopped worrying on a personal level about hacks. I watch my credit and my accounts, and try my best to protect data on my end, but it's always the business on the other side that manages to get hacked. I get a bit peeved that I have to set super strong passwords for everything, yet the back end gets hacked.

 

[x3 skier]

Thanks you TravelTime for that very helpful article. First TJ Maxx, Target, now Marriott’s when is it going to stop?

It isn’t.

My info has been compromised so many times I just locked my credit and ignore it. Can’t do much else anyway.

Cheers

 

[bbodb1]

Were timeshare stays reflected on the SPG site? If not, I feel somewhat safe.

I've stopped worrying on a personal level about hacks. I watch my credit and my accounts, and try my best to protect data on my end, but it's always the business on the other side that manages to get hacked. I get a bit peeved that I have to set super strong passwords for everything, yet the back end gets hacked.

And until a company is meaningfully held responsible for a data breach, companies will continue to pay lip service to security - claiming they are doing all they can while minimizing spending on data security.

 

[VacationForever]

Were timeshare stays reflected on the SPG site? If not, I feel somewhat safe.

I've stopped worrying on a personal level about hacks. I watch my credit and my accounts, and try my best to protect data on my end, but it's always the business on the other side that manages to get hacked. I get a bit peeved that I have to set super strong passwords for everything, yet the back end gets hacked.

You are only thinking of what you saw on spg.com. I believe Vistana and Starwood reservations and account information were stored in the same database system. The hack was not at the interface, which was what you saw on spg.com. The hack was done at the database level.

 

[pedro47]

Our credit account & our scores has been in a freeze status for years at the three (3) credit bureaus.

 

[T_R_Oglodyte]

Were timeshare stays reflected on the SPG site? If not, I feel somewhat safe.

I've stopped worrying on a personal level about hacks. I watch my credit and my accounts, and try my best to protect data on my end, but it's always the business on the other side that manages to get hacked. I get a bit peeved that I have to set super strong passwords for everything, yet the back end gets hacked.

Per this story, the hack included Starwood timeshare information:

Marriott reports that there has been unauthorized access to its Starwood guest reservation database, which contained guest information relating to reservations at Starwood properties on or before September 10. These include hotels under the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels brands, as well as Starwood-branded timeshare properties.

 

[pedro47]

Sounds liked severals Starwood employees or just one very high level IT security employees with a very high level access to data information.

Liked a team, one was a high level IT person and one person in a higher level position in management who could approve this IT employee access without causing any notification to Starwood upper management or corporate IMHO.

 

[Ralph Sir Edward]

Or an auditor gone bad.

 

[pedro47]

I feel an internal auditor would not have that can of high level computer access to that huge number of customers, personal information, passwords and credit card numbers. Plus an internal auditor could not transfer that amount of customer data without someone approval in management or Starwood Corporate Office IMHO.

 

[pedro47]

Also, if this was done by an auditor their must an auditor trail of information.

 

[dsmrp]

Maybe someone got a hold of a service account used by for data analytics reporting or a 3rd party sw application.
An individual's account should have been logged when it accesses database tables.
DBAs are generally loath to give access to anyone other than other DBAs

I changed our Vistana timeshare and Marriott Rewards accounts passwords.
Not sure what we should do about our credit cards used for our stays except to monitor the charges each month,
which DH does anyway.

I work in healthcare. If our patient data was hacked there would be (large) fines....

 

[TravelTime]

Marriott’s Starwood Missed Chance To Detect Huge Data Breach Years Earlier
Attack in 2015 could have prompted hotel operator to investigate and find hackers who lurked in its computer system, experts say

By
Robert McMillan
Dec. 2, 2018 5:11 p.m. ET

Marriott International Inc. MAR -5.59% says it responded quickly when it learned in recent weeks of a colossal theft of customer data. But cybersecurity specialists say the company missed a significant chance to halt the breach years earlier.

Marriott on Friday said the hack of the reservation database for its Starwood properties, which involved the theft of personal information on up to 500 million customers, began in 2014 and went undetected until this September.

In 2015, Starwood reported a much smaller breach, in which attackers installed malware on point-of-sale systems in some hotel restaurants and gift shops to siphon off payment-card information. It disclosed the attack four days after Marriott announced a deal to acquire Starwood Hotels & Resorts Worldwide for what ended up being $13.6 billion, creating the No. 1 hotel company globally.

Marriott says that the 2015 incident was different and not related to the attack made public Friday. But security specialists say that while it’s not unusual for breach investigations to miss a second intruder, a more thorough investigation into the 2015 intrusion could have uncovered the attackers, who instead were able to lurk in its reservation system for three more years........................................................

https://www.wsj.com/articles/marrio...ach-years-earlier-1543788659?mod=hp_lead_pos7

 

[tombanjo]

While it is prudent to change your password, this has been going on for several years. If you have used the same password and email combination at multiple sites, change those too.

 

[sea&ski]

Exactly my response. But there is so much more at offer here, or not. Depends on what really was gleaned by the hackers. Best to follow others' advice and have your credit accounts on permanent freeze. A caveat: this can only be accomplished by filing police reports and documenting hard facts on identity theft. The freeze can last up to 7 years, and requires some effort to undo, temporarily, when you need to have credit for one reason or another.

 

[sea&ski]

"While it is prudent to change your password, this has been going on for several years. If you have used the same password and email combination at multiple sites, change those too"

Exactly what I said a few days ago, but changing your password does nothing for the data that is out there. Marriott hasn't definitively said what was taken, if anything. Putting a hold on credit accounts is a good first step. A freeze on your accounts requires police reports and other documentation of identity theft. And at that, it only lasts 7 years...