Posted by William Charles on March 13, 2019
Misc

Published on March 13th, 2019 | by William Charles

35

SPG Data Breach: You Can Now Check If Your Data Was Stolen (Results Sent Out)

Update 3/13/19: Results of checking if your data was stolen are now being sent out. Hat tip to reader Dan W

Back on November 30th, 2018 Marriott revealed that SPG reservation systems were breached with ~500 million guests data stolen (since downgraded to 383 million unique guests), some of this information included payment and passport data. Months later it’s now possible to find out if your data was stolen or not (technically Marriott was supposed to already inform you but in some cases contact details are either incomplete or inaccurate).

I have a few issues with how Marriott is handling this:

  • The process is being completed by security firm OneTrust, as such the actual form is not on the Marriott/SPG website. Marriott really shouldn’t be encouraging customers to enter this level of sensitive information on a third party website.
  • The breach was first reported in November of last year, why has this process taken so long?
  • I don’t think Marriott has been pro-active enough in informing customers. In some cases there is incomplete information but it’s still accurate (e.g the e-mail might be inaccurate but the phone number works)

It’s also worth pointing out that the checker isn’t instant, you’ll need to wait for a response. Personally there is no way I’m giving potentially even more sensitive data to a third party to check if my data was breached.

Hat tip to Tech Crunch



35
Leave a Reply

avatar
 

  Subscribe  
newest oldest most voted
Notify of
Dick Bupkiss
Dick Bupkiss

Corporate Death Penalty and mandatory jail time for top execs

Until we have that, data breaches will continue frequently, because large companies have no reason to give a shit.

Curtis Leasure
Curtis Leasure

While I agree that data breaches are a huge deal it’s impossible to pin it on one group of a company. It would be more logical to ask for the death penalty for hackers and data miners. I just wish companies would do more to make people whole. Free night, for example.

Sam
Sam

see that’s just you begging for handouts…. a free night does not make you whole in this circumstance. if anything they should cover identity theft protection or something along those lines. there is no equivalency between free night and data getting stolen

Frank
Frank

I mean a hefty fine would likely be sufficient. Putting a company with 177k employees out of business because they lost some data would certain not encourage new businesses to come here.

DK
DK

“encourage businesses to come here”
are you familiar with a lot of businesses that don’t want to sell their product in USA?
Europe has strict privacy laws, have you seen a lot of hospitality brands pulling out of there?
Don’t buy into this “if we enforce laws its bad for business” bullshit

Frank

1. EU privacy laws are well short of “corporate death penalty” for lost data
2. Companies do have active concern and make investment decision based on how favorable the law is

Regulating data storage and transmission is logic and needed, corporate death penalty is not

Max
Max

I don’t necessarily agree with the “death penalty” but I do agree with the government taking it over via receivership, firing the entire corporate management team, and board of directors, and then selling to a competitor with a verified track record of safety. I think this would set a harsh standard that says data breaches will not be tolerated

Parkerthon
Parkerthon

I don’t understand how anyone walks around assuming their PII data is not out there these days. It’s basically a guarantee because flaws in identity verification systems simply made it to valuable a long time ago. Sure corporations could spend all their money on beefing up IT security, but the consumer will ultimately pay for it elsewhere. Even the strongest defense will never fully stop a determined offense. Still, there are certainly many cases of companies blatantly ignoring run of the mill security guidelines by their own people to shave off a fractional percentage of their overhead. In these cases they should be held accountable. But where is that line really? Even IT security people commonly disagree. Better solution is developing systems that make it harder for compromised data to be used by a malicious party. The basics of shared key cryptography are where that system should be founded. That’s just too complicated for most people to wrap their head around though so we continue to bumble on spreading the blame around with no real solution in sight.

Eli
Eli

Marriott logic , Well if it wasnt stolen up until now, why wont you give us all your info again so we make sure it is stolen on our next breach.

P
P

Is Marriott too lazy to inform those affected themselves that people need to go find out and if the work? (Asking for a friend 🙂 )

Ann
Ann

“technically Marriott was supposed to already inform you but in some cases contact details are either incomplete or inaccurate”

So this is only for if you might have used incorrect/outdated contact info when you stayed there.

Vic
Vic

Submitted, need further review. Made me feel even worse about all this. It’s not like I am not applying for a card or something :/

DHKYT
DHKYT

Honestly, it just felt like another attempt to steal my personal info…

Mike V
Mike V

Not staying at any Marriott any time soon

AkJohnny
AkJohnny

or ever.

Frank
Frank

What’s funny is that the second best way to steal data (after directly stealing it) is by setting up a fake site for people to check if their data was stolen… how’s about they just use the contact info they already have?…ya know, the phone, email, and address information I gave them…

John
John

Ok mine was stolen. Are they offering any points or compensation or do you just get to see that it was stolen.

MoreSun
MoreSun

With the current state of the Marriott- er, Bonvoy program you’re lucky they didn’t charge you miles to check if your info was compromised.

sdsearch
sdsearch

They’re just offering one free year of some identity protection service; that’s the only “compensation”.

keith
keith

Hopefully the database for this search function doesnt get breached…

Mike Advantage
Mike Advantage

When and how do I get my compensation for this breach of my data?

U.S government won’t hold any of these companies responsible. Thanks

MoreSun
MoreSun

ROFL. Nobody can top Marriott like Marriott. It’s an art form really.

Debit
Debit

Nothing will happen if you don’t go to your Congress person’s townhall and bring up the issue. Should doc setup a separate page where people comment which Congress person they have told that USA should have data protection along the lines of GDPR. Or the whores in Congress will keep selling their souls for campaign contributions from corporate.

Shawn C
Shawn C

PSA: Your new marriott number is not what they want in the form. To find your original SPG number, you should search for an email titled “Welcome to Starwood Preferred Guest”
and it will have your old SPG number.

Josh
Josh

LOL they couldn’t host/cname under their own domain and HTTPS cert? Wow

Drew R
Drew R

Filled out this form 2/16, just got a response today:

Dear [name],

We are in receipt of your inquiry regarding whether your personal data was involved in the recent Starwood Guest Reservation Database security incident. Based on the information you provided to us, we believe that your information was involved. Following our analysis, we believe that the following information about you was involved in the incident:

* Name

* Birthdate

* Birthday (Month and Day Only)

* Address Information

* Primary Email Address

* Primary Phone Number

* Other Phone Information

* Credit Card Expiration Date

* Credit Card Type

* Encrypted Credit Card Number

* Starwood Preferred Guest (SPG) Number

* Starwood Preferred Guest (SPG) Loyalty Status and Balances

* Guest Frequent Traveler Program Information

* Starwood Executive Traveler Number

* Guest Opt-In Preferences

* Email Communication Preferences

* Reservation Details

* Central Starwood Unique Record Locator

* Employed at Starwood (Y/N)

* Record History Information

Where available in your country/region, Marriott is offering affected guests the opportunity to
enroll in a personal information monitoring service free of charge for one year. More information about this service can be found at info.starwoodhotels.com. If you have further questions or requests regarding this information, please contact us through this
portal. You will continue to have access to this request for the next 30 days.

Thank you.

Marriott Privacy Center

Joe
Joe

I got basically the same thing. Truly pathetic.

Oh – and I blame Marriott at this point. But good job trying to pawn it off on SPG.

Mine also had “Guest Frequent Traveler Program Information.” I hope that isn’t FF#s for linked programs.

Kevyx72
Kevyx72

Got the same + credit card number and expiration date. Such a long list

Drew R
Drew R

Yea, and I can’t imagine how many people put in their newly merged Marriott number and got an email saying their info was not hacked when it actually was. To be sure I filled out the form twice, one with my old SPG number and one with my SPG/Marriott merged number. The first response said my information was hacked, the second said it wasn’t.

Back to Top ↑