Marriott admitted to falsely claim encryption protocols

[jp10558]

My main issue with the entire thing is the willful brand / trademark confusion. I really hate that stuff. Like it makes it impossible to trust a brand really, which to my eyes really dilutes the value of a brand in the first place.

 

[billymach4]

My main issue with the entire thing is the willful brand / trademark confusion. I really hate that stuff. Like it makes it impossible to trust a brand really, which to my eyes really dilutes the value of a brand in the first place.

Totally Agree. Now this makes me think about the other brands in the Hotel/Timeshare industry.

 

[jp10558]

Its true these are sperate companies, Marriott, Starwood, and MVC. I think the crossover relevance is that timeshare owners like to travel, and may have been impacted by the breach due to their other travel.

As for the encryption issue, i do wonder if the data did have AES-1 encryption in some of the databases, but also the lower level hash in other others or during transport.

The whole thing at a technical level confuses me. AES is symmetrical encryption, SHA is a hashing function. They do different things. AES-1 is not even the normal AES from what I can tell from wikipedia, it was superseeded in 1999 by AES-2, and today everyone I know is using AES-256. I don't think SHA1 is a broken hash function either, just that most people recommend SHA256 now due to faster processors.

Hash functions are one way, so getting SHA1 hashes likely doesn't tell you anything as someone else said. AES1 in any recent situation would be considered somewhat weak, but IDK if it's easily breakable without more research.

I guess I should read more if I cared more, but in terms of kibitzing and hot takes - I think this article is confused enough that I can't determine if this is any more than non technical people mistaking the correct term and not actually anything nefarious.

 

[Dean]

Totally Agree. Now this makes me think about the other brands in the Hotel/Timeshare industry.

Maybe you should dig into how Disney has their corporate structure set up and their rides separated from a Legal standpoint. If you're mind is already blown, it'll explode looking at the Disney structure. I think you're smarter than you give yourself credit for and can separate MVC and the hotel brand very easily.

 

[jp10558]

Totally Agree. Now this makes me think about the other brands in the Hotel/Timeshare industry.

Yea, they're all franchises now from what I can tell. That said, I'm not against franchises, I usually get about the same at any McDonalds or Arbys or Chilis etc. So far Hilton has been pretty consistent for me too, so I remain a fan.

 

[jwalk03]

Yea, they're all franchises now from what I can tell. That said, I'm not against franchises, I usually get about the same at any McDonalds or Arbys or Chilis etc. So far Hilton has been pretty consistent for me too, so I remain a fan.

Not quite "all" but a huge huge percentage. In the case of Marriott there are less than 100 properties worldwide that they own & operate.

 

[dioxide45]

Marriott actively operates or manages about 2,000 properties for the property owner. Then there are properties they own or lease and operate. This is the number that is less than 100. In many cases they may be looking to find a buyer for the property or move it into a REIT. The remaining are all owned and operated by franchisees.

 

[daviator]

So much bad information being thrown about.

Marriott Vacations Worldwide is completely different than Marriott International. I think that 90% of folks on TUG know that.
There were two different Starwood companies: Starwood Hotels got bought by Marriott International, and Starwood Vacation Ownership (which had changed its name to Vistana Signature Experiences) got bought by Interval World, and then Interval World got bought by Marriott Vacations Worldwide.

So in the end, there is the Marriott hotel company (Marriott International) and the Marriott timeshare company (Marriott Vacations Worldwide.) And while they have some contractual relationships (MVW uses MI's brands and their reservations system) the two companies are completely separate financially.

And as complicated as all this is, I do think that 90% of TUG members have at least a general understanding of everything I’ve just stated. It’s kind of funny that someone thinks that because they don’t understand something, nobody else possibly could either.

 

[billymach4]

I could care less about the corporate In-Breeding and their respective agreements.
Having been a member here on TUG since 2006 I know all about the Big Fish and the little fish that have been consumed, hatched, grown up, etc.
Hell I even own legacy weeks when Marriott was one big happy family.
I own post legacy weeks with points.

My point is the original post regarding the data breach.

Marriott admits it falsely claimed for five years it was using encryption during 2018 breach

Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained.

www.csoonline.com

I appreciate the history.
One more thing. The run of the mill guest and owners outside of TUG have no idea about this detailed history.

Back to my point. Data Breach's and Ransomware attacks they happen daily now.
My PSA is keep your Digital Life safe.

 

[billymach4]

So much bad information being thrown about.

Marriott Vacations Worldwide is completely different than Marriott International. I think that 90% of folks on TUG know that.
There were two different Starwood companies: Starwood Hotels got bought by Marriott International, and Starwood Vacation Ownership (which had changed its name to Vistana Signature Experiences) got bought by Interval World, and then Interval World got bought by Marriott Vacations Worldwide.

So in the end, there is the Marriott hotel company (Marriott International) and the Marriott timeshare company (Marriott Vacations Worldwide.) And while they have some contractual relationships (MVW uses MI's brands and their reservations system) the two companies are completely separate financially.

And as complicated as all this is, I do think that 90% of TUG members have at least a general understanding of everything I’ve just stated. It’s kind of funny that someone thinks that because they don’t understand something, nobody else possibly could either.

How does this affect the outcome of the Data Breach.

 

[daviator]

How does this affect the outcome of the Data Breach.

The outcome was that many people had their data stolen. It was years ago. There have been so many of these that I can’t remember for certain but I think we got free credit monitoring for a period of time. I don’t expect there is going to be any outcome beyond that for most of us.

i absolutely 100% agree with your recommendations on data security. Never reuse passwords, use a password manager with big long complicated passwords that are different for every site, or use passkeys which are supposedly even more secure. I have had my login data stolen in breaches more times than I can count, but (knock on wood) never been victimized using that data, most likely because I have learned to follow the practices you recommend and others.

 

[billymach4]

I have nightmares about Ransomware, Identity Theft, Scams of all sorts.
It's out of control.

As you can tell I am more than obsessed about this topic.

 

[dioxide45]

I have nightmares about Ransomware, Identity Theft, Scams of all sorts.
It's out of control.

As you can tell I am more than obsessed about this topic.

The most important thing you can do is have different passwords for every website and account you have out there. Never use the same password for a financial account anywhere else.

 

[dioxide45]

So much bad information being thrown about.

Are you referring to the article? If in this thread, I don't see it. Other than the lack of context in the original post, it seems most people are stating what you also stated. I mentioned the Starwood tie in and it being on the hotel side and not vacaion ownership.

 

[daviator]

Since we are on the subject, the most important password you have (and the one that should be the longest/most difficult and changed the most frequently) is your email password. If someone gets into your email, they can reset all your other passwords since typically the password reset email is all you need to do that. Your cell phone is equally important since many sites text you a code for 2FA.