Posted by William Charles on November 30, 2018
Hotel Booking

Published on November 30th, 2018 | by William Charles

36

SPG Reservation System Breached, 500 Million Guests Affected

Marriott has revealed that unauthorized access to the Starwood reservation system has been detected and that up to 500 million guests who made a reservation at Starwood properties on or before September 10, 2018 have had their information accessed. For roughly 327 million guests this information includes: name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. It also includes encrypted payment card numbers and payment card expiration dates and Marriott has been unable to determine if the keys needed to decrypt this information has been stolen as well. For the remaining guests information accessed is limited to name, e-mail address and other information.

We’ve said this before, but until the penalties for data breaches are increased they will continue to happen at an alarming rate. It’s clear that corporations are not investing enough resources to keep personal and payment data secure, the penalties for having data breaches is not equal with the damage that can be done when somebody has their identity or payment details stolen.



36
Leave a Reply

avatar
 

  Subscribe  
newest oldest most voted
Notify of
MarcoPolo
MarcoPolo

Here we go again.
We’re screwed.
Anyone for class action?

carl wilson
carl wilson

Sure. You wanna wait 2+ years to get $19. They’ll throw in free credit monitoring, that’ll pair well with the 5 other free credit monitoring you’ll already have from the other breaches.

Vy
Vy

Boy oh boy. I hope so.

Sean Paul
Sean Paul

A class action spread across hundreds of millions of members would probably generate about 50 cents per person…

Debit
Debit

You think Facebook is the first institution to treat people as products? The us Congress and their business cronies have been doing it for many decades.

Mike
Mike

Just another advantage of churning cards. As long as you don’t keep them for more than six months who cares who’s got your number!

Dan - Legal Bank Robber
Dan - Legal Bank Robber

Yeah till they get your SSN…

Joseph Gross
Joseph Gross

And passport number.

Marriott breach: Here’s the risk of a compromised passport number

Marriott announced Friday that 327 million consumers affected in its data breach had information compromised that could include a passport number, among other data.

Experts say thieves could use your passport data in conjunction with other personal details to verify your identity in opening new accounts or gaining access to existing ones.

https://www.cnbc.com/2018/11/30/passports-compromised-in-the-marriott-breach-could-lead-to-fraud.html

Mike
Mike

True, luckily marriot doesnt have my pp number or soc. I know its still bs and their apathay sucks.

bc
bc

You’ve never stayed at an SPG/Marriott property outside of the US?

Emporio
Emporio

I stayed at a (SPG) Westin in Los Cabos Mexico and never provided any passport info on my reservation. Or is Mexico considered an extension of the US until we build that wall?

Frogger
Frogger

Marriott probably has everyone’s SSN as part of keeping people from getting both Chase and Amex cards.

sdsearch
sdsearch

But what you describe is Marriott after the systems were (mostly) combined. That restriction on Chase and Amex cards started only a few months ago. This happened to Starwood before the systems were combined on Aug 18 of this year. The only reason it’s tied to Marriott in the news is because Marriott now owns Starwood, but this problem started in 2014 per the announcement at the above link, and in 2014 Starwood was not even being considered being sold to Marriott (or anyone else).

In fact, I wonder if Starwood would have ever found the problem themselves, or is it a problem that Marriott discovered as it was trying to (and only because it was trying to) integrate Starwood?

sdsearch
sdsearch

Even without churning, the might be a blessing in disguise for the devaluation (for many) of the SPG card this year. So many people who have used their SPG card at SPG hotels during this breach are dumping this card now, just because they don’t like the “Marriottization” of it.

Also, the SPG numbers that existed when this ended (on Aug 10) no longer exist. Just over a week later (nominally on Aug 18, but most people couldn’t log in until a couple days later), everyone was issued new SPG numbers in a different format.

carl wilson
carl wilson

Once again not affected personally, but it doesn’t diminish my outrage.

If the penalities were similar to the ones for medical malpractice or workplace injury or workplace discrimination/harassment, maybe we wouldn’t be dealing with this all the time.

Pablo
Pablo

“Corporate Death Penalty” with mandatory jail time for all C-level officers might make them wake up and take it seriously.

Until then…party on, and “do you have any Gray Poupon”?

alvinroast
alvinroast

There is actually another way when corporations are treated as people.

Imagine if a corporation “went to jail”? What rights of movement and income production could happen if there were equal punishment for corporations? What about the death penalty? Can a corporation be executed? The C-level officers are still conspiring with the corporation. There are so many ways to treat this even in a “corporations are people” world. You just need a judiciary that’s not on the take.

Francisco
Francisco

And their change password system is down. Smh

Parkerthon
Parkerthon

We need data privacy regulations like Europe has ala GDPR. It forces companies to protect any personally identifiable information or they get fined out the yang. I will say though being on the side that has to comply, it’s costly and disruptive. A better question is why we don’t do a better job of verifying a person’s identity as it relates to anything where they could be found liable for payment? At this point, this jig is up on criminals actually having data they can work with to defraud. That was over several years ago. The real solution is creating something better than a unique static 8 digit number, address, and occasionally some credit history related question challenges being the key factor to identifying yourself. I think large amounts of money in information security investment as instigated by heavy handed government regulation would be better targeted at adopting a solution along these lines.

Jonathan S
Jonathan S

I’m not necessarily disagreeing with your suggestions for how to mitigate data breaches, but two important questions:
1) what is the cost (time, money, etc.) that is pushed onto the banks in terms of identity protection and the cost pushed onto the consumer in terms of identify theft?
2) what would be the cost to reduce data breaches by, say, 90 percent?

In regards to 1), I imagine that the banks are the ones who are hurt the most by data breaches (i.e. they have to eat it on a lot of fraudulent purchases). Yes, it is inconvenient to have to monitor and freeze your credit, but as consumers we have pretty good protection.

Regarding 2), there have got to be diminishing returns regarding security and privacy. At some point, each $1 you throw at protecting consumer’s information starts to protect something far less than that $1 in return.

I’m all for avoiding headaches and theft at the hands of fraudsters, but it’s hard to place the blame without knowing the answers to these 2 questions. However it works, you want the marginal cost of both 1) and 2) to be roughly equal.

Matt Katakis
Matt Katakis

It absolutely sucks for the lack of recourse. But the issue is that companies are boycotted over it. People voice their opinions and then the outrage goes away. The only one that really had any legs was the Equifax one and that’s because stocks were sold out and it dealt with social security numbers.

Identity-less
Identity-less

I think a fair penalty would be that if a company loses customer identity info, then the company has to lose their own identity. In this case Marriott must give up all rights to the name “Marriott.” They need to get a new identity, everything from domain name, to signage on buildings, to the pens and stationary on the nightstand. All of it. They have to start building a brand/identity from scratch.

Shane

Why does SPG need to store credit card numbers, passport numbers, gender and date of birth? Credit card numbers need only be used for a purchase or stored for a short time say between guest checkin and checkout. Some countries require a hotel to have passport information of guests on file but again only need to hold this between checkin and checkout. As for gender and DOB, there is no reason a hotel chain needs to store this info ever. Companies hold this data mostly because they can and because it gives insight into customers. But rather than penalizing breaches, why not penalize companies who store personal data unnecessarily.

Chaser123
Chaser123

We are sadly at the point where more data breaches are actually better. Banks will have to find another way to vet you than just your SSN and Name. I know identity theft is a pain but if everyone identity is stolen, the information becomes less useful.

M
M

I wouldn’t be surprised if Mattiott’s lying management is in collusion with the data traffickers. They sell customer data anyways. So it’s not a big step for them to expand in the foreign gangsta market.

Charlie
Charlie

Let me be sure I understand what happened. The Starwood portion of Marriott was breached, not the pre-merger Marriott system. Is that correct?

sdsearch
sdsearch

Yes. It started on the SPG side in 2014, when there was no connection at all yet between Marriott and Starwood (not even the hint of a sale yet IIRC). And it ended before they merged the systems together. But it ended so soon before they merged the systems together, that it makes me wonder if they discovered this only because they were about to merge the systems together (and might not have discovered it even now if this merger hadn’t been happening)? So because Marriott bought SPG, it has Marriott’s all over it, but it was SPG that had the breach, no pre-merger Marriott.

Charlie
Charlie

Thanks! For me that’s good news because my data has never been in Starwood’s system but I have been in Marriott’s system for at least a decade or more.

tolikfox
tolikfox

this is no where near as bad as the equifax hack but still infuriating nonetheless. our current identity system is archaic and dumb. take the SSN for example, you’re constantly having to just hand out that info to random people/databases. its only a matter of time before this info gets stolen or misused. that is why modern cryptography much like the principle behind cryptocurrency can potentially solve this. private key/public key system where your private key is never handed out to anyone!!!

Yoni
Yoni

Hey I know that Amazon recently was giving of GC or Amazon credit for recent breach about 2 weeks ago. (some reports of $100)

25k SPG points would be nice

Josh
Josh

Some of the people impacted by this data breach were European citizens who are protected by GDPR, so it clearly didn’t help them not lose their data this time. Looks like Marriott can be expecting fines, though. We will see if it proves to be a deterrent moving forward.

Back to Top ↑