[merged] Marriot's Starwood Hotel reservation database has been hacked

Ralph Sir Edward · Nov 30, 2018

I'm providing this article for those who might be involved.

https://www.cnbc.com/2018/11/30/mar...ched-onapproximately-500-million-guests-.html

This is for hotel stays, but who knows what the total ramifications might be.

cubigbird · Nov 30, 2018

CNN reported this today:

Marriott says 500 million Starwood accounts compromised
https://www.cnn.com/2018/11/30/tech/marriott-hotels-hacked/index.html

mdurette · Nov 30, 2018

LONDON — The Marriott International hotel chain said on Friday that the database of its Starwood reservation system had been hacked and that the personal details of up to 500 million guests going as far back as 2014 were compromised.

The hotel group, which runs more than 6,700 properties around the world, was informed in September about an attempt to access the database, and an investigation this month revealed that unauthorized access had been made on or before Sept. 10, Marriott said in a statement.

The investigation also found that an “unauthorized party had copied and encrypted information, and took steps toward removing it,” the statement said.

The hotel chain said that personal details including names, addresses, dates of birth, passport numbers, email addresses and phone numbers for hundreds of millions of guests may have been compromised.

pedro47 · Nov 30, 2018

Thanks for sharing this information.

dsmrp · Nov 30, 2018

Affecting reservations database of Starwood hotels. Potentially affecting 50 million guests!
From Wash Post. https://wapo.st/2Rui0CpM

Renzo · Nov 30, 2018

https://apple.news/A9sBRWRG7SSCKNyCaayPXiA

bogey21 · Nov 30, 2018

The Marriott News Release says "up to 500 million" and that they "deeply regret it". Apparently they acquired this problem from Starwood nonetheless you would think these big companies would control things better...

George

SmithOp · Nov 30, 2018

bogey21 said:
The Marriott News Release says "up to 500 million" and that they "deeply regret it". Apparently they acquired this problem from Starwood nonetheless you would think these big companies would control things better...

George

Cost cutting to boost shareholder profits would be my assessment of why they don’t fund the IT security required to thwart hackers.

Sent from my iPad using Tapatalk Pro

dsmrp · Nov 30, 2018

According to Wash Post article, the unauthorized access went back to 2014!!!
Astounding

gravitar · Nov 30, 2018

From an article I read this morning.

Marriott-owned Starwood the largest hotel chain in the world, with more than 11 brands covering 1,200 properties, including W Hotels, St. Regis, Sheraton, Westin, Element and more. Starwood branded timeshare properties are also included.

Sent from my SM-N950U using Tapatalk

geist1223 · Nov 30, 2018

Marriott recently released the information that the Starwood Reservation System has been hacked continuously since 2014 affecting about 500,000,000 Users. It appears that those responsible also Hacked the encryption keys. So data including credit card information was probably compromised.

TravelTime · Nov 30, 2018

Just what Marriott needs now. I wonder if this is somehow related to the the merger integration issues. They had so many systems issues during the merger that could that have somehow made them more vulnerable. I do not think they were ready for the merger and they need new IT people.

Just read the Wall Street Journal article. I guess Marriott is also concerned that people will be blaming the merger.

Marriott said its internal security tool alerted it of a potential breach to its U.S. database on Sept. 8. After an investigation, the company found that the Starwood guest database may have been compromised since 2014, which precedes Marriott’s acquisition of Starwood. The database contained information for guests who made reservations on or before Sept. 10.

The company found the unauthorized party had copied and encrypted information from the database, and had attempted to steal it. However, it wasn’t until Nov. 19 that Marriott was able to decrypt the information to find out what the contents of the breach were.

bluehende · Nov 30, 2018

geist1223 said:
Marriott recently released the information that the Starwood Reservation System has been hacked continuously since 2014 affecting about 500,000,000 Users. It appears that those responsible also Hacked the encryption keys. So no data including credit card information was probably compromised.

I thought that 327 million of those did have data such as cc numbers passport numbers and dates of reservations compromised.

edited to say it is not clear here is a copy and paste of a comment from marriot

For 327 million people, Marriott says the guests' exposed information includes their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information. For millions others, their credit card numbers and card expiration dates were potentially compromised.
Marriott warns that it can't confirm if the hackers were able to decrypt the credit card numbers.

TravelTime · Nov 30, 2018

Some additional information:

The Marriott hack is one of the largest data breaches ever disclosed, measured by the number of individuals potentially affected. Only a 2013 breach of Yahoo AABA +1.21% that affected three billion people, nearly the entirety of Yahoo’s user base, may be bigger, security experts said.

The compromise of passport information could be the most significant aspect of the Marriott breach, particularly if it was carried out by a state-sponsored actor for intelligence purposes, said Mr. Darche, a former official with National Security Agency.

“We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,” Mr. Sorenson said.

TravelTime · Nov 30, 2018

Wall Street Journal articles says a lot of personal data was potentially accessed:

For roughly two-thirds of the guests who were possibly affected, an unauthorized party may have had access to names, addresses, phone numbers, email addresses, passport numbers and travel details, Marriott said Friday. In some cases, the company said, the information also included payment-card information. Marriott said payment-card numbers are usually encrypted, though it could not rule out that card information was stolen.

T_R_Oglodyte · Nov 30, 2018

Moderator suggestion: There are two active threads on this hack (the second is in the Marriott forum). I suggest the threads be consolidated.

I suggest merging into the Lounge forum, because there are many TUGgers (like myself) who might be affected but are not Marriott Vacation Club owners and don't spend time in the Marriott forum.

T_R_Oglodyte · Nov 30, 2018

Moderator suggestion: There are two active threads on this hack (the second is in the Lounge). I suggest the threads be consolidated.

I suggest merging into the Lounge forum, because there are many TUGgers (like myself) who might be affected but are not Marriott Vacation Club owners and don't spend time in the Marriott forum.

TravelTime · Nov 30, 2018

This article has a summary of what may have happened:

https://www.travelagentcentral.com/...VLaTBvak82dUdTRkVJZ09qbzc5In0=&mrkid=77639252

controller1 · Nov 30, 2018

T_R_Oglodyte said:
Moderator suggestion: There are two active threads on this hack (the second is in the Lounge). I suggest the threads be consolidated.

I suggest merging into the Lounge forum, because there are many TUGgers (like myself) who might be affected but are not Marriott Vacation Club owners and don't spend time in the Marriott forum.

There's also a thread in the Vistana forum.

pedro47 · Nov 30, 2018

Thanks you TravelTime for that very helpful article. First TJ Maxx, Target, now Marriott’s when is it going to stop?

brianfox · Nov 30, 2018

bogey21 said:
The Marriott News Release says "up to 500 million" and that they "deeply regret it". Apparently they acquired this problem from Starwood nonetheless you would think these big companies would control things better...

George

But hey, at least they "deeply regret it".

Wouldn't surprise me if it was done by an IT worker who was cut as part of the consolidation.

amycurl · Nov 30, 2018

Passport number is yuuuuuge, y'all. I'm sure they "deeply regret" it; the depth of their regret will be proportional to the depths that their stock prices sinks today and Monday. Talk about releasing this news on Take Out the Trash day....

MULTIZ321 · Nov 30, 2018

500 Million Marriott Customers Affected in Massive Data Breach
By Bloomberg/ Business/ Security/ Time/ time.com

"Marriott International Inc. said it’s investigating a hack of the guest reservation database at its Starwood unit that may be one of the biggest such breaches in corporate history. Marriott shares slumped 5.6 percent in pre-market trading.

The attack is troubling not just because of its sheer size, but also the level of detail potentially stolen by the attackers. The hack affects some 500 million guests, and for about 327 million of them, the data included passport numbers, emails and mailing addresses, Marriott said. Some credit card details may also have been taken.

The Marriott hack may rank only below Yahoo as one of the biggest of personal data, when 3 billion users were exposed to a 2013 security breach.

Regulators and consumers have been stepping up their action against companies that have suffered security breaches as such attacks have increasingly become more severe. Target Corp. last year agreed to pay $18.5 million to settle investigations by dozens of states over a 2013 hack of its database in which the personal information of millions of customers was stolen, while Equifax is facing billion-dollar law suits and a regulatory investigation.

“The breach is so big that the company may face a large fine from the authorities and the market is factoring that in,” said Juan Jose Fernandez Figares, chief analyst at Link Securities in Madrid. “This is yet another company that has been hit by a hacking and a reminder to any company that manages customers’s personal data that they need to work harder to protect them from future attacks.”

Marriott’s statement indicates the hacking was going on years before the company acquired Starwood in a deal valued at about $13.6 billion that closed in September 2016. Marriott’s database contained guest information relating to reservations at Starwood properties on or before Sept. 10, 2018. For some, it also included payment card details, said Marriott, which didn’t identify who the perpetrators might be....."

Richard

sea&ski · Nov 30, 2018

Regardless whether you have actively stayed in a SPG related venue, I just checked and my Marriott p.w. is exactly the same as the Starwood one, so when did that occur??? and I think it may be prudent to change passwords (at the very least.) Probably won't stop the real "damage" if there is any, but I've stuck my finger in the dam in any case...

controller1 · Nov 30, 2018

brianfox said:
But hey, at least they "deeply regret it".

Wouldn't surprise me if it was done by an IT worker who was cut as part of the consolidation.

That person would have had a great crystal ball since the breach began in 2014.

[merged] Marriot's Starwood Hotel reservation database has been hacked

Ralph Sir Edward

cubigbird

Tug Review Crew Veteran

mdurette

Sighting Expert & TUG Review Crew: Expert

pedro47

TUG Review Crew: Expert

dsmrp

Renzo

bogey21

SmithOp

TUG Review Crew

dsmrp

gravitar

geist1223

TravelTime

bluehende

TUG Review Crew: Veteran

TravelTime

TravelTime

T_R_Oglodyte

T_R_Oglodyte

TravelTime

controller1

pedro47

TUG Review Crew: Expert

brianfox

amycurl

TUG Review Crew

MULTIZ321

sea&ski

TUG Review Crew

controller1