Marriott has revealed that unauthorized access to the Starwood reservation system has been detected and that up to 500 million guests who made a reservation at Starwood properties on or before September 10, 2018 have had their information accessed. For roughly 327 million guests this information includes: name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. It also includes encrypted payment card numbers and payment card expiration dates and Marriott has been unable to determine if the keys needed to decrypt this information has been stolen as well. For the remaining guests information accessed is limited to name, e-mail address and other information.
We’ve said this before, but until the penalties for data breaches are increased they will continue to happen at an alarming rate. It’s clear that corporations are not investing enough resources to keep personal and payment data secure, the penalties for having data breaches is not equal with the damage that can be done when somebody has their identity or payment details stolen.
Dear Guest,
We take your personal security seriously, blah, blah, blah.
Some of the people impacted by this data breach were European citizens who are protected by GDPR, so it clearly didn’t help them not lose their data this time. Looks like Marriott can be expecting fines, though. We will see if it proves to be a deterrent moving forward.
Hey I know that Amazon recently was giving of GC or Amazon credit for recent breach about 2 weeks ago. (some reports of $100)
25k SPG points would be nice
this is no where near as bad as the equifax hack but still infuriating nonetheless. our current identity system is archaic and dumb. take the SSN for example, you’re constantly having to just hand out that info to random people/databases. its only a matter of time before this info gets stolen or misused. that is why modern cryptography much like the principle behind cryptocurrency can potentially solve this. private key/public key system where your private key is never handed out to anyone!!!
Let me be sure I understand what happened. The Starwood portion of Marriott was breached, not the pre-merger Marriott system. Is that correct?
Yes. It started on the SPG side in 2014, when there was no connection at all yet between Marriott and Starwood (not even the hint of a sale yet IIRC). And it ended before they merged the systems together. But it ended so soon before they merged the systems together, that it makes me wonder if they discovered this only because they were about to merge the systems together (and might not have discovered it even now if this merger hadn’t been happening)? So because Marriott bought SPG, it has Marriott’s all over it, but it was SPG that had the breach, no pre-merger Marriott.
Thanks! For me that’s good news because my data has never been in Starwood’s system but I have been in Marriott’s system for at least a decade or more.
I wouldn’t be surprised if Mattiott’s lying management is in collusion with the data traffickers. They sell customer data anyways. So it’s not a big step for them to expand in the foreign gangsta market.
We are sadly at the point where more data breaches are actually better. Banks will have to find another way to vet you than just your SSN and Name. I know identity theft is a pain but if everyone identity is stolen, the information becomes less useful.
Why does SPG need to store credit card numbers, passport numbers, gender and date of birth? Credit card numbers need only be used for a purchase or stored for a short time say between guest checkin and checkout. Some countries require a hotel to have passport information of guests on file but again only need to hold this between checkin and checkout. As for gender and DOB, there is no reason a hotel chain needs to store this info ever. Companies hold this data mostly because they can and because it gives insight into customers. But rather than penalizing breaches, why not penalize companies who store personal data unnecessarily.
I think a fair penalty would be that if a company loses customer identity info, then the company has to lose their own identity. In this case Marriott must give up all rights to the name “Marriott.” They need to get a new identity, everything from domain name, to signage on buildings, to the pens and stationary on the nightstand. All of it. They have to start building a brand/identity from scratch.
It absolutely sucks for the lack of recourse. But the issue is that companies are boycotted over it. People voice their opinions and then the outrage goes away. The only one that really had any legs was the Equifax one and that’s because stocks were sold out and it dealt with social security numbers.