MASSIVE Marriott Data Breach Could Impact 500 Million Guests

At this point it sure seems like major breaches with travel brands are a common occurrence. The latest company to be impacted by one of these is Marriott.

Marriott is investigating a data security incident involving the Starwood guest reservation system. On November 19, 2018, the investigation determined that there was unauthorized access to the database, which contained guest information relating to reservations on or before September 10, 2018.

With this investigation, Marriott learned that there had been unauthorized access to the Starwood network going back as far as 2014. An unauthorized party had copied and encrypted information.

Marriott believes that this contains information for up to approximately 500 million guests who made a reservation at a Starwood property. For about 327 million of those guests, the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

For others, this also included payment card numbers and payment card expiration dates.

Marriott’s CEO had the following to say:

“We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.

Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

Maybe I’m too passive about this stuff, but I don’t put much thought into these data breaches. I feel like if I did, I’d spend 24/7 paranoid, given how much information we give out to various companies on a day-by-day basis. Short of moving to a deserted island and cutting off contact with the outside world (which doesn’t seem great given that I blog for a living), I feel like I’ll be exposed to this stuff no matter what.

So I choose not to think about, and in the event that I do ever have issues with a credit card stolen, my identity stolen, etc., I’ll deal with it as need be. I’d rather it be annoying to deal with for a short period of time, than this be something I constantly think about my entire life.

The beauty of credit cards is that you have fraud protection, so in the event that your information is compromised, you’re typically not on the hook. And I’m not too worried about any hackers figuring out my SPG profile preferences otherwise.

So yeah, obviously this isn’t great, but every time I hear about one of these I just kinda go ¯\_(ツ)_/¯.

What’s your take on these data breaches? Immediate panic, or just “it is what it is?”

Comments

  1. My attitude is similar to yours. I have had credit card numbers stolen a few times, at least one I suspect through a tour operator data breach given an email they sent later. I have always just dealt with it and never had to pay anything for the illegitimate charges.

  2. Accenture should be congratulated and recognized as Marriott’s leading consulting, systems implementation, and data security advisor.

  3. Let’s just blame all the technology issues Marriott had with the merger on the data breach? lol, seems like a good scapegoat. It was the hackers, not incompetent planning on Marriott’s part!

  4. If I recall from the (excessive amount of) time I spent reading about the IT merger back in August and September, there was a fair amount of griping that Marriott didn’t move to the SPG platform but instead transitioned SPG data to the less customer-friendly Marriott platform. Maybe this was a blessing in disguise? If it the breach had been going undetected since 2014, what type of security protocols did SPG have in place? Also, if that long, presumably many people whose data was accessed have already had to deal with attempted fraud? As usual, lots of unanswered questions and a story to spend (an excessive amount of) time following. Although trying to hook up with pilots on Grindr while at cruising altitude (which can be reached without ever leaving the ground LOL) is much more fun.

  5. Companies will only proactively deal with IT security when customers make it an issue which affects their willingness to deal with the company in future if it suffers a breach.

    If customers say ¯\_(ツ)_/¯ then companies will too.

    It is down to customers to show they care.

  6. There was no mention of passwords being stolen, but it’s always a good idea to change your password after any data breach – and keep a unique password for every online account.

  7. Every single week our company issues some kind of IT thread, mostly other firms saying they were not paid – all legitimate looking emails and all (yep, we no know how to spot the cyber thieves, we think).. but they keep coming every week with new ideas. And their written English or German is perfect too.. And it’s not only invoicing who deal with these issue, HR as well with apparently new employer asking for some details on ex colleagues of ours..

    Basically, we all personally should be responsible for, and with our personal data, knowing the tricks of the industry which are getting trickier day by day.

    Overall – I’m with Lucky on this one. Maybe my whatever information was already compromised by yahoo email issues. Or my FB account? Or… hang on, I order pizza the other day, maybe they missued my info too?

    (just to add, our firm isn’t customer orientated the way Marriott or others are, but still, we do deal with huge clients, including Airbus, on daily basis)

  8. It’s interesting that most people tend to look at events like this as mainly having financial implications. What do you do if your passport data are breached and misused? AFAIK, no monitoring service covers passports – you can’t replace it as conveniently as a credit card, and you will most likely encounter an issue with it in a foreign country.

  9. Lucky, you’re not worried about this, yet you put ‘MASSIVE Marriott data breach’ (with massive in all-caps) in the title? When I clicked on the article, I was hoping you’d be as pissed off as I am. Instead, it seems it was just for clickbait?

    Regarding the hack, it’s nuts to me that a site visited by frequent travelers isn’t more pissed off about this. Yes, maybe we don’t care about our name & email getting out there, but this breach apparently also includes:
    a) birthday
    b) address
    c) passport number
    d) possible credit card(s) data

    More importantly, the hack had been ongoing for FOUR years! And Marriott’s response to the SEC has literally been to say “ah, we have insurance for this–don’t worry about it”

    Until customers get mad enough to take business elsewhere, we will never get a different response from companies except “we’re sorry and are taking immediate action” …whatever the hell that means.

  10. Take my eyes but not my login hehe…I, too, feel my personal info is everywhere on the darkgrams. There’s plenty of free and paid services that’ll alert you to changes. The downside is we have to monitor through several different monitoring services, when using free options, to maintain our info across all credit bureaus. Then we must also monitor every account to ensure there’s no fraudulent activity. This is simply too time-consuming and allows fraudsters the opportunity to do their thing.

    I recently had two Credit Inquiries hit my profile due to ID theft. Placing a security freeze on all 3 bureaus was much easier than expected. Now I’ve been monitoring all my 20+ accounts for activity like new AU or change in contact/login info. This is the new headache of the digital age for those of us who enjoy this points hobby.

    I feel breaches will get worse but some due diligence goes a long way to mitigate fraud. I dabbled with paid services like Lifelock before settling with Discover’s paid service, which is 50% less and offers same level of service as Lifelock’s Ultimate (top tier) Plan. It’s nice having one centralized place updating me on my credit reports. But it does pose a fine-line-question of how much is enough when you’re LOL/24?

  11. Good to see that Marriott is taking the blame here when it seems it was an enormous SPG hole that let someone in AND go unnoticed for years! Why not more outcry against the SPG platform???

  12. Wow, this is the first time I’ve read one of your posts and thought what you’re saying is completely idiotic.

    First, you should be very concerned about cybersecurity in ALL areas of business & government, since in such an interconnected world you never know who has your data. And what kind of sensitive information is contained in that data (SSN, DoB, etc.). Even if you didn’t explicitly consent your data to be shared, they all share it in behind the scenes, either wittingly or otherwise.

    Second, yes, you have credit card fraud protection. But for someone whose business is built informing readers about CC rewards to just shrug your shoulder and rest easy because of it is selfish and short-sighted at best. CC fraud is a massive drag on profits of all businesses that accept CCs, not just the issuing banks. Rise in the cost of fraud prevention, detection, insurance, etc., has a DIRECT impact on exchange fees and consequently the rewards banks are able to offer us.

    I know you didn’t have any malicious intent in being so glib about this, but perhaps you should be more thoughtful before dismissing something as serious as this. FOUR years this has been going on.

  13. Not everyone has dozens of credit cards at hand so cc fraud isn’t a non issue. This latest breach is another reason not to provide valid card information when making hotel reservations that aren’t prepaid. Yes, hotels you stay with will eventually get your info when checking in, but there’s no reason to also leave your cc info just sitting there with every travel account you registered for.

  14. “there had been unauthorized access to the Starwood network going back as far as 2014”

    So when are the hackers going to get around to using all this data? If it’s been going on for 4 years, and apparently not been a problem so far, what’s the point of telling us about it now?

    Immediately change your password that hackers have had for 4 years? Seriously?

    Horse, barn door, you know?

  15. I just completed a stay the other day at a Residence Inn and I used my Citi Prestige card 4th night free which I have sock drawered most of the time and as soon as I checked in, i got two fraudulent charges for $2900 in concert tickets in two transactions. It could be a coincidence, but sure doesn’t seem like it.

    Last week I made a booking on British Airways and I got a good chuckle out when it asked me if i wanted to store my credit card info on their servers since it’s safer than sending it over the internet every single time.

  16. Marriott may have to worry. Under the new General Data Protection Regulations the monetary penalty for maximum penalty for a breach , is 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

    With Marriott’s revenue in 2017 standing at $22.894bn, the hotel chain faces the possibility of a $916m penalty!

  17. Not caring whether they get your CC number and make unauthorized charges is one thing. Getting enough personal info such that they can steal your identity is another, and something one should be concerned about. If they start getting credit cards, bank accounts, etc in your name, it’s your credit rating that goes in the toilet, and can be a real PITA to fix.

  18. I took part in the CX data breach lawsuit, I’m just waiting for customers to get angry enough to launch one on Marriot, personally if I had gotten angry with Marriot I would have died of a brain aneurysm ever since the merger began. But I choose to pick my battles and walk away from the program.

  19. Having worked in IT security for the last 2 decades I can say that yes can’t be paranoid about this kind of stuff because if the hackers want in they will likely find a way in. Hoooowever, having worked and studied up on many of these companies it IS their responsibility to at least try to secure their infrastructure. These billion dollar corporations almost always refuses to spend a few extra million to shore up their security. They never react until something like this happens. Part of it is cheapness and part of it is that those higher up in charge is almost always oblivious at how technology works and won’t make the informed decision because why on earth would an old bald fart exec want to listen to geeks tell them what to do. While these companies will never block any hacker 100% there are many many ways to make the hacking really difficult and time consuming. We shouldn’t hear about major breaches more often than once every few years.

    Look at UAL and their pathetic understanding of security. They have the nerve to call their website secure and multi factor enabled when all they are doing is ask you a 2nd login question (with static answers no less making them even less secure than before they implemented that nonsense).

    Or starbucks whose app used to stored credentials in clear text on the phone. They refused to listened to the security community until the day after target got hacked and someone wrote in a newspaper article starbucks is next because of their app. And then all of a sudden starbucks patched their app. How secure could that rush job have been??

    Bottom line, many many non tech centric companies make laughable effort at security. Its like locking your house with a broomstick and hoping thats sufficient. They deserve what they get.

  20. Not the Conrad – structures on the beach and facing the wrong direction (looks like sunset to me).

    Got hacked last month at start of holiday. Devastating as it took AMEX almost a month to get me a replacement card and the web site no longer shows the new card and they can’t fix it. Probably from BA hack in the summer.

    BA, Starriott, and the rest should be on the hook for compensation for anyone whose account is hacked. Minimum $100 per incident plus covering any losses.

Leave a Reply

Your email address will not be published. Required fields are marked *