Marriott Discloses Missing Data Files

An anonymous reader writes "Marriott International has admitted that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company." From the Washington Post story: "Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost. An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes."

why do they have SSNs for customers?

[rritterson]

Can anyone tell me why Marriot has the SSNs of Customers?

Time-share owners, maybe, employees definately, but customers? Why?

Re:why do they have SSNs for customers?

[cayenne8]

" I believe this concerns time share loans, in which case a SSN would be required in the credit process."

Well, even if so...why did they keep the numbers? I've run into things where people wanted my SSN....which I pretty much refuse to give to anyone not associated with ssn taxes....but, to get around it...I just give a deposit in lieu of SSN.

Re:Identify theft a fad?

[MaineCoon]

Back in ancient days (pre-500 AD for example), it was not a rare thing for vaguely look-alike, or not even look-alike people, to claim to be someone famous/important in a village or town where nobody could invalidate the claim (or those who would validate it were being duped or willing participants).

This is a quite old crime. The difference is that now identity theft of everyday people can be lucrative, and you don't even need to look like them or deal with tricking others. And you don't have to worry about being lynched or stoned, just going to jail.

Re:Lost != Stolen

[quarkscat]

Be afraid. Be very afraid.

Considering the time of year, no doubt some Marriott PHB who was looking for some extra X-Mas cash decided to "sell their list". While many companies have absolutely no qualms about selling customer information (AKA creating a new "profit center"),
I am more inclided to believe that the backup tapes were lost or stolen, rather than a conscious effort to create a new corporate profit center.

Then again, John Poindexter's "Total Information Awareness" project (entirely DoD databases) was morphed into "MATRIX", which was designed to make use of multiple commercial (and commercially available) databases. So, perhaps, it was was merely an "extra patriotic" Marriott employee.

Considering recent events in the news (non-FISA approved wiretapping), perhaps one possibility is just as scary as the other...

Use a stream cipher

[Myria]

When backing up, generate a random "tape" key. Encrypt this "tape key" using a block cipher and your official key. Store the encrypted tape key several times at several locations on the tape. The locations of the key must be known without needing to read the tape to find them.

With that set up, encrypt the main contents of the tape with a stream cipher (say, RC4) with the tape key.

This way, damage to a certain area of the tape will not result in a complete loss of data. Using a random key for each tape eliminates the big cryptographic no-no of using a stream cipher key twice.

Melissa