Posted by William Charles on January 4, 2019
Misc

Published on January 4th, 2019 | by William Charles

32

SPG/Marriott Data Breach Update: Passport Numbers Not Encrypted

Marriott has provided an update on the SPG reservation data breach that was first disclosed on November 30th, 2018. Key points from the update:

  • 25.5 million passport numbers were included. Of these, 5.25 million were not encrypted.
  • 8.6 million encrypted payment cards were involved. No evidence to suggest that the master key was accessed. Although Marriott is admitting that card data might have been entered in other fields and these fields were not encrypted.
  • Marriott has identified approximately 383 million records as the upper limit for the total number of guests involved in the incident. Originally this number was 500 million. They go on to state that fewer than 383 million unique guests are affected, but they aren’t able to state the exact number of unique guests (very reassuring…)

I got in a debate with somebody the other day regarding this breach, they said this really wasn’t Marriott’s fault and they were a victim of this whole mess as the SPG was the one who had their systems breached. I argued that Marriott should have done due diligence regarding information security before acquiring SPG. I’m not an information security expert, but not encrypting all passport numbers seems like a fairly massive security flaw.

Until the penalties for data breaches are increased, they will continue to happen at an alarming rate. Marriott seems hell bent on pushing the narrative that Chinese state agents were responsible for the hack, but in my mind that only makes the importance of information security even more important not less. Companies have a responsibility to keep private information private and if they fail to do so they should be punished harshly.



32
Leave a Reply

avatar
 

  Subscribe  
newest oldest most voted
Notify of
perfectviking
perfectviking

You’re absolutely right that this is on Marriott. Due diligence and post acquisition audits should have caught this and they failed at both. I’m baffled that there are Marriott apologists specifically for this.

vipul
vipul

Forget about post acquisition audits, even today they are not encrypting passport data. Marriott said they are looking into if its possible to encrypt passport data.

dk
dk

The apologists are on the PR payroll.

Frank

The subtly is that you can’t get mad at MARRIOTT for losing the data (it was SPG who lost it) BUT you certainly can and should punish Marriott — they bought both the assets and liabilities. Definitely something that should have be reviewed in DD

jed
jed

The problem with punishing the harshly is that they won’t report it when they discover they have been breached.

Seth
Seth

Or it’ll put pressure on companies to not store extra information on their servers. There’s no need to store passport numbers, if a govt mandates that a hotel has to keep records of this then just store it all on an offline computer, makes it pretty hard to hack…

Igor
Igor

Lock ’em up?

Jacky Guo
Jacky Guo

Sadly, the primary motivation for an organization to improve their security posture is usually regulatory or contractual obligations. To my best knowledge due, at least in the US, there is no regulations requiring a business/org to encrypt passport data.
Well.. at least only having a passport cannot really do anything. Nowadays, most major countris have joined ICAO PKD. This makes forging a passport extremely difficult. This includes European Union, the US, Japan, or even China. A forged or modification of passport will automically voids the digital signature.

Ben
Ben

How bad is having your passport number leaked?

foobar
foobar

It can be bad if/when it’s combined with other hacked information. NYT has an article on the possible connection between this and the OPM breach, and if that ends up being true, it may have some disastrous consequences.

Mike Advantage
Mike Advantage

terrorists can steal your identity and make fake passports with your info..

Stable Genius
Stable Genius

How can anyone apologize for this IS laziness? As a national security matter, China has compiled OPM background files hacked, with the identifiers of government travelers at an American firm across the world, and whatever plaintext info was entered at the hotel itself because no oversight existed. There is no apology, and for Marriott to hide behind the excuse that “we don’t know who did it and it wasn’t us and it’s not a big deal” is embarrassing. Truly eye-opening need for Congress to impose liability for these structural weaknesses because nothing else works!

Won
Won

Jeez, way to bid customers’ loyalty Bonvoy-age.

Igor
Igor

You Won the internet with this one…

Won
Won

Do I get paid in Bonvoys?

Kuso29
Kuso29

My first question is why and who gave the authority for marriott to store and retain passport numbers and credit card information? Once the guest has completed their stay at the property, that information should be erased from their system, what gives them and other companies the right to store the information of clients?

Won
Won

I’m assuming it’s the customers who have Marriott loyalty and choose to store their info in Marriott’s system for convenience?

Stable Genius
Stable Genius

It was also stored locally at hotels; there was no standardization or protection. Both were hacked.

Pbjclimbing
Pbjclimbing

Some countries require passport records be kept

Mi b
Mi b

Don’t want to nitpick but:

“5.25 million passport numbers were included and these were not encrypted. In addition to this 20.3 million encrypted passport numbers were also accessed, but the master key was not accessed.”

Makes it seem like only the 5.25 were included, perhaps “25.5 million passport numbers were included. Of these, 5.25 were not encrypted…”

Thanks for the informative post

quasimodo
quasimodo

heck..how would SPG even have my passport #? Did they enter it in when I stayed at a Sheraton or 4 Points abroad? Good thing I renewed my passport recently….old # is nada… think I’ll call to get a new Amex SPG card #….only card I’ve used at Marriott properties.

nuff
nuff

“383 million unique guests are affected” WTF

Ann
Ann

“how would SPG even have my passport #?”

You would probably have been told they were collecting it if you stayed at a hotel in a location that requires collecting that information from guests. Unfortunately there doesn’t seem to be a list of such locations available. https://mashable.com/article/hotel-passport-data-collection/

quasimodo
quasimodo

thxs

jason
jason

As a software engineer myself, I find this behavior of not encrypting sensitive data extremely sloppy and unprofessional. Did they even hire professional IT people to handle their website and data?

Bostonwalker
Bostonwalker

Just blame China. Problem solved! LOL

Ed K
Ed K

Sanction any and all countries, including U.S., for any of their part in retrieving and collecting citizens’ personal data in which they did not get our direct authorization. In fact, we need to treat our most valued personal data, such as health records, ss#, passport numbers and any data, we as a citizen treat and declare as our own, as if they are copyrighted material under the law. If a person, government agency, crook or spy (some would say they are all of these) wants to steal, re-publish part of your copyrighted song then must pay a licensing fee to YOU. They want our data, they must pay each one of us for our data. We’ve let governments and their agents collect, store and use our data without true compensation. Congress is not protecting us like they should; they create the laws. Oh sure, they’ll place more sanctions and so forth, but each of us that has been affected should get a piece of that money instead of it going into the government’s hands. Are we the people not the government in the U.S.A.?

I get tired of even these class actions brought on by state attorney generals in which they act like it’s for ‘we the people’ yet each citizen doesn’t actually receive a check in the mail, but instead the states create more agencies off their winnings/settlements. I’ve opted out of some class actions so I could reap on my own and got others to join me in our own sub-class (seems the only way to see any true value). In the end, it’s politics that drives state attorney generals to go after companies, but most of the citizens never really see a dime, only new government buildings, some new hires and then the politician turns around at election time saying “look how I fought for you”. – My rant for the day. 😉 Of course, this is why I don’t use FB or other sites that I knew could be data mining which is of course the whole point if you want to be in the media business and make money from ads. VPNs help too.

Sam
Sam

Marriot sucks now.

Bill
Bill

Realistically there is a massive difference between chinese government hackers and non state sponsored hackers. I dont think we can expect Marriott to fend off the Chinese government. I dont think the US government is very capable of doing that. For those of us who visit china then the government likely had all this info already.

Back to Top ↑