Marriott Starwood Security breach - 500 million guests

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
NoHeat
Posts: 221
Joined: Sun Sep 18, 2016 10:13 am

Marriott Starwood Security breach - 500 million guests

Post by NoHeat » Fri Nov 30, 2018 9:59 am

A big data breach. Company statement:

https://answers.kroll.com

Excerpt:

information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

User avatar
cinghiale
Posts: 1175
Joined: Wed Oct 17, 2007 4:37 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by cinghiale » Fri Nov 30, 2018 11:15 am

Thank you very much for posting this.

I was able to follow the link and get enrolled in the proffered protection service. Given the incremental way in which affected customers will be notified, your timely post may have allowed me to get out in front of potentially millions of applicants. Again, big thanks.
"We don't see things as they are; we see them as we are." Anais Nin | | "Sometimes the first duty of intelligent men is the restatement of the obvious." George Orwell

User avatar
cinghiale
Posts: 1175
Joined: Wed Oct 17, 2007 4:37 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by cinghiale » Fri Nov 30, 2018 11:23 am

A checklist of things to do if you suspect that your personal data and information were implicated:

https://www.cnbc.com/2018/11/30/how-to- ... um=twitter
"We don't see things as they are; we see them as we are." Anais Nin | | "Sometimes the first duty of intelligent men is the restatement of the obvious." George Orwell

alfaspider
Posts: 1611
Joined: Wed Sep 09, 2015 4:44 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by alfaspider » Fri Nov 30, 2018 11:29 am

At this point, I pretty much assume everyone who has ever provided personal information to any large company has had their data stolen. If someone wants your personal info, It's out there on the darkweb for whomever cares to buy it.

User avatar
nisiprius
Advisory Board
Posts: 37049
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Marriott Starwood Security breach - 500 million guests

Post by nisiprius » Fri Nov 30, 2018 11:39 am

So, who is "Kroll" and how do I know it is safe to enroll in the "Kroll Web Watcher Monitoring Service?" Free, but only for a year.

Anyone go far enough to find out if they ask for a credit card number at any point?

...I'm getting mighty tired of companies whose response to data breaches is to ask you to provide sensitive information to another company...
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

Elysium
Posts: 1365
Joined: Mon Apr 02, 2007 6:22 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by Elysium » Fri Nov 30, 2018 11:47 am

Isn't it just more safer and better to freeze credit :?:

Instead of enrolling in credit protection which requires keeping credit open. I am sure at this point my data is breached multiple times already through all these large corporations, and the OPM data breach where me and spouse were both affected.

Our credits are frozen since then. Am I missing something else I should do.

User avatar
Just sayin...
Posts: 213
Joined: Tue Oct 09, 2007 10:12 am

Re: Marriott Starwood Security breach - 500 million guests

Post by Just sayin... » Fri Nov 30, 2018 12:07 pm

One minor thought: use a password protection/storage program (I use 1Password) that generates and manages a unique and random password for each site. That way, if a password is compromised, it only effects a single site.

That said, I have employed a credit freeze across all agencies after the Equifax breach in 2017. I’m told it is now free?

jasc15
Posts: 383
Joined: Wed Dec 19, 2012 1:36 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by jasc15 » Fri Nov 30, 2018 12:44 pm

alfaspider wrote:
Fri Nov 30, 2018 11:29 am
At this point, I pretty much assume everyone who has ever provided personal information to any large company has had their data stolen. If someone wants your personal info, It's out there on the darkweb for whomever cares to buy it.
+1 I subscribe to the "big sky theory" of data security at this point. I do also have my credit reports frozen.

TravelGeek
Posts: 2450
Joined: Sat Oct 25, 2014 3:23 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by TravelGeek » Fri Nov 30, 2018 1:12 pm

Sigh. This will continue until it becomes more costly for businesses to deal with breaches than to implement proper security mechanisms.

From the Kroll site:

"WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found."

That's great. I assume my data is already out there from various other breaches. So if they find my information, then what? Has anyone here got any good experience with those free monitoring services that are routinely provided as "band-aids" when breaches are reported?

User avatar
whodidntante
Posts: 4304
Joined: Thu Jan 21, 2016 11:11 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by whodidntante » Fri Nov 30, 2018 1:53 pm

With GDPR, the EU might breach more than data at the Marriott.

User avatar
alpenglow
Posts: 691
Joined: Tue May 31, 2011 12:02 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by alpenglow » Fri Nov 30, 2018 2:06 pm

TravelGeek wrote:
Fri Nov 30, 2018 1:12 pm
Sigh. This will continue until it becomes more costly for businesses to deal with breaches than to implement proper security mechanisms.
Sad, but true.

Olemiss540
Posts: 620
Joined: Fri Aug 18, 2017 8:46 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by Olemiss540 » Fri Nov 30, 2018 2:08 pm

TravelGeek wrote:
Fri Nov 30, 2018 1:12 pm
Sigh. This will continue until it becomes more costly for businesses to deal with breaches than to implement proper security mechanisms.

From the Kroll site:

"WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found."

That's great. I assume my data is already out there from various other breaches. So if they find my information, then what? Has anyone here got any good experience with those free monitoring services that are routinely provided as "band-aids" when breaches are reported?
Googling led me to BBB website (with a few reviews) and I decided a hard NO from me on supplying Kroll with my SS, etc.
I hold index funds because I do not overestimate my ability to pick stocks OR stock pickers.

User avatar
bottlecap
Posts: 5879
Joined: Tue Mar 06, 2007 11:21 pm
Location: Tennessee

Re: Marriott Starwood Security breach - 500 million guests

Post by bottlecap » Fri Nov 30, 2018 5:34 pm

Maybe I'm wrong, but the most important information they might have obtained is my credit card information. Big deal. My credit card company has a pretty tight grip on that stuff.

My name, gender, and age is easily obtainable on a variety of public databases. This information can be found on almost anyone for $30.

JT

harrychan
Posts: 1423
Joined: Sun Nov 14, 2010 9:37 pm
Location: Pasadena

Re: Marriott Starwood Security breach - 500 million guests

Post by harrychan » Fri Nov 30, 2018 5:55 pm

CEO came out and said possibly passport information also. There is ZERO reason for anyone to retain this information. They need to get separate authorization to process credit card transaction. The only real need to keep personal information is for their points reward system. Even so, they should only require name and contact info. That's it. Address, credit card and passport / ID numbers is irrelevant for them to do their business.
This is not legal or certified financial advice but you know that already.

NoHeat
Posts: 221
Joined: Sun Sep 18, 2016 10:13 am

Re: Marriott Starwood Security breach - 500 million guests

Post by NoHeat » Fri Nov 30, 2018 6:57 pm

harrychan wrote:
Fri Nov 30, 2018 5:55 pm
CEO came out and said possibly passport information also. There is ZERO reason for anyone to retain this information.
These hotel chains are international.

Hotels in some countries are required to collect passport info routinely, when guests check in. Back in the 1980s, French hotels had me fill out a standard card, required by the police, with my passport info. I assume somebody was required to retain it for a while. Nowadays hotels put it in a database for police access.

https://ec.europa.eu/home-affairs/sites ... nation.pdf

ebrasmus21
Posts: 250
Joined: Tue Nov 29, 2016 6:06 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by ebrasmus21 » Fri Nov 30, 2018 7:10 pm

Changed a couple of passwords today, likely all I'll do.

davegreen10
Posts: 54
Joined: Mon Dec 17, 2012 7:26 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by davegreen10 » Fri Nov 30, 2018 8:27 pm

I love how the free monitoring service gives you the option of adding your social security number if you want them to monitor that also.

Ummm, you just lost all my info to hackers. I don't think I'm ready to trust you with more...

User avatar
Horton
Posts: 124
Joined: Mon Jan 21, 2008 3:53 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by Horton » Sat Dec 01, 2018 11:46 am

Interestingly enough, I got a robo call from "Marriott" last night informing me that I won a "free trip" :D

I immediately hung up.

Cruise
Posts: 674
Joined: Mon Nov 21, 2016 7:17 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by Cruise » Sat Dec 01, 2018 8:14 pm

nisiprius wrote:
Fri Nov 30, 2018 11:39 am
So, who is "Kroll" and how do I know it is safe to enroll in the "Kroll Web Watcher Monitoring Service?" Free, but only for a year.

Anyone go far enough to find out if they ask for a credit card number at any point?

...I'm getting mighty tired of companies whose response to data breaches is to ask you to provide sensitive information to another company...
Kroll is a well-respected security firm with a worldwide presence.

2015
Posts: 2152
Joined: Mon Feb 10, 2014 2:32 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by 2015 » Sun Dec 02, 2018 2:08 am

Today Krebs had some very important things to say about the breach and about good security hygiene in general:

https://krebsonsecurity.com/

NoHeat
Posts: 221
Joined: Sun Sep 18, 2016 10:13 am

Re: Marriott Starwood Security breach - 500 million guests

Post by NoHeat » Sun Dec 02, 2018 9:34 am

2015 wrote:
Sun Dec 02, 2018 2:08 am
Today Krebs had some very important things to say about the breach and about good security hygiene in general:

https://krebsonsecurity.com/
Thanks.

My take on the article:

Accept it. Your SS, birthdate, mother’s maiden name, etc are already all out there and you cannot do any about it. Don’t bother to learn if it’s out there — it is.

Other than changing passwords and making them all different from one another, there’s nothing the article really suggests for an individual to do. Due to our busted system of data security, you are doomed.

2015
Posts: 2152
Joined: Mon Feb 10, 2014 2:32 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by 2015 » Sun Dec 02, 2018 1:37 pm

NoHeat wrote:
Sun Dec 02, 2018 9:34 am
2015 wrote:
Sun Dec 02, 2018 2:08 am
Today Krebs had some very important things to say about the breach and about good security hygiene in general:

https://krebsonsecurity.com/
Thanks.

My take on the article:

Accept it. Your SS, birthdate, mother’s maiden name, etc are already all out there and you cannot do any about it. Don’t bother to learn if it’s out there — it is.

Other than changing passwords and making them all different from one another, there’s nothing the article really suggests for an individual to do. Due to our busted system of data security, you are doomed.
I view it as not so much doomed as forewarned and informed. Security is a trade off between security, privacy, and convenience. I have personally gone to great lengths to inconvenience myself in the name of security. It is what it is.

RMD3819
Posts: 36
Joined: Wed Mar 27, 2013 3:40 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by RMD3819 » Sat Dec 08, 2018 3:42 pm

So what is the verdict-enroll in Kroll or not?

I set up an account but did not add my cc or SS-yet.

Dantes
Posts: 222
Joined: Wed Feb 25, 2015 6:38 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by Dantes » Sat Dec 08, 2018 4:54 pm

500 million is a remarkably impressive proportion of the total world population.

World populaton is 7.7 billion. CIA says 27% below the age of 15, so count them out; that leaves 5.6 billion. So they are saying that something like 9% of the entire adult population of the entire world has been a Marriott guest?

NoHeat
Posts: 221
Joined: Sun Sep 18, 2016 10:13 am

Re: Marriott Starwood Security breach - 500 million guests

Post by NoHeat » Sat Dec 08, 2018 5:35 pm

Dantes wrote:
Sat Dec 08, 2018 4:54 pm
500 million is a remarkably impressive proportion of the total world population.

World populaton is 7.7 billion. CIA says 27% below the age of 15, so count them out; that leaves 5.6 billion. So they are saying that something like 9% of the entire adult population of the entire world has been a Marriott guest?
No. Probably it represents 500 million times that some a guest checked in, or made a reservation. There’s no practical way Starwood could uniquely identify and track all customers, worldwide. For those who had Starwood rewards account numbers, maybe, but most probably did not.

Dantes
Posts: 222
Joined: Wed Feb 25, 2015 6:38 pm

Re: Marriott Starwood Security breach - 500 million guests

Post by Dantes » Sun Dec 09, 2018 7:52 am

NoHeat wrote:
Sat Dec 08, 2018 5:35 pm
Dantes wrote:
Sat Dec 08, 2018 4:54 pm
500 million is a remarkably impressive proportion of the total world population.

World populaton is 7.7 billion. CIA says 27% below the age of 15, so count them out; that leaves 5.6 billion. So they are saying that something like 9% of the entire adult population of the entire world has been a Marriott guest?
No. Probably it represents 500 million times that some a guest checked in, or made a reservation. There’s no practical way Starwood could uniquely identify and track all customers, worldwide. For those who had Starwood rewards account numbers, maybe, but most probably did not.
Right - the point being their messaging is off, and could have been crafted in (slightly) less apocalyptic terms.

As for customer identification, I can not imagine a major hotel chain where distinct guests is not a subject of research.

User avatar
CardinalRule
Posts: 156
Joined: Sun Jan 15, 2017 11:01 am
Location: United States

Re: Marriott Starwood Security breach - 500 million guests

Post by CardinalRule » Sun Dec 09, 2018 1:49 pm

I had a similar reaction. I started the enrollment process, and found that Kroll was asking me for information that Marriott never had in the first place. Seems risky - I'll need to think more about this. :confused
davegreen10 wrote:
Fri Nov 30, 2018 8:27 pm
I love how the free monitoring service gives you the option of adding your social security number if you want them to monitor that also.

Ummm, you just lost all my info to hackers. I don't think I'm ready to trust you with more...

Post Reply