Marriott Discloses Missing Data Files

An anonymous reader writes "Marriott International has admitted that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company." From the Washington Post story: "Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost. An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes."

why do they have SSNs for customers?

[rritterson]

Can anyone tell me why Marriot has the SSNs of Customers?

Time-share owners, maybe, employees definately, but customers? Why?

Re:why do they have SSNs for customers?

[User+956]

Time-share owners, maybe, employees definately, but customers? Why?

Look, they're just making sure you don't steal any towels. Towel theft is a big deal.

Re:why do they have SSNs for customers?

[QuantumG]

Unless your business model including some sort of recurring billing there is absolutely no justification for storing every digit of a credit card number. The first and last digits are more than enough for data matching purposes.

Re:why do they have SSNs for customers?

[Pampusik]

I believe this concerns time share loans, in which case a SSN would be required in the credit process.

Re:why do they have SSNs for customers?

[cayenne8]

" I believe this concerns time share loans, in which case a SSN would be required in the credit process."

Well, even if so...why did they keep the numbers? I've run into things where people wanted my SSN....which I pretty much refuse to give to anyone not associated with ssn taxes....but, to get around it...I just give a deposit in lieu of SSN.

Re:why do they have SSNs for customers?

[Pampusik]

They would need to keep the SSNs to share with their loan servicer(s?) and backup companies.

In most cases, when you take out a loan with somebody, your data is likely being shared with everybody they do business with related to the servicing of the loan... especially if you're a "high risk" customer (e.g., low credit score).

Re:why do they have SSNs for customers?

[mmclean]

It is the Time Share division of Marriott, and they are required to have SSN's for those customers for mortgage interest reporting purposes.

Re:why do they have SSNs for customers?

[tq_at_sju]

i got a marriot towel..... i mean i'm kind of a big deal....people know me

Re:why do they have SSNs for customers?

[toddbu]

Can anyone tell me why Marriot has the SSNs of Customers?

I think that you're asking the wrong question here. Shouldn't you be asking "why does it matter if they keep your SSN?" Our whole system of using SSNs to identify people is broken, and if Congress would get off their lazy duffs and fix the problem then maybe it wouldn't matter if someone had my SSN number or not. A simple change to credit reporting laws that would require a second level of verification of the identity of a consumer before granting credit, like what happens when you put a fraud alert on your credit report, would go a long way toward fixing this problem. But those who issue credit are afraid that if you got rid of easy credit then their market would collapse. I'll agree that some people would be inconvenienced by such a system (like those who move around a lot), but it sure would reduce fraud. At the very least, I should have the option of making a fraud alert permanent, and to have complete control over who can view my credit history. Then maybe it wouldn't make such a difference if someone got my personal information.

Re:why do they have SSNs for customers?

[HD+Webdev]

Well, even if so...why did they keep the numbers? I've run into things where people wanted my SSN....which I pretty much refuse to give to anyone not associated with ssn taxes....but, to get around it...I just give a deposit in lieu of SSN.

As far as loans, they keep the numbers because if a person defaults on the loan that's the only data they have that's unique to the person who defaulted. For example, if the debt gets sold cheaply to a debt collection agency, the collection agency needs that number to track the person if the person moves somewhere else. "John Jones of 123 Main St. Anytown, USA" isn't very useful if John Jones moves to another state.

Re:why do they have SSNs for customers?

[slick_rick]

Why stop there? Why does any entity need to hold on to my SSN? Why not just make it illegal to do so? I work with large databases every day (100k+ "souls") and it is insane to me that we keep the SSN for all these people. What a security nightmare/identity thief's dream. I've argued with my boss several times that we should dump the SSN and just keep a few hashes instead (md5/sh1/whatever). He doesn't like that idea for valid reasons (mainly compatibility with other systems that don't know shit about a hashed SSN).

I really wish congress would pass a law stating that no private entity without a federal charter can hold an SSN longer then 30-60 days. I could then share hashed SSNs with various other DBs because they would have to deal with those, or face the legal consequences.

Of course I think all commercial entities should be mandated to purge all customer data after two years as well. Why should Sears keep my SSN on file forever just because I had a credit card with them 10 years ago?

Re:why do they have SSNs for customers?

[HardCase]

Can anyone tell me why Marriot has the SSNs of Customers?

They probably don't. As the article says, the backup tapes contained credit card numbers and SSNs of workers, time share owners and customers. That reasonably means that they've lost the credit card numbers of time share owners and customers and the SSNs of time share owners and employees.

So they've lost this data, but it seems to me that they're being reactive in a positive way - they've notified the right people in government, they've contacted financial institutions and they've notified their customers, along with issuing a public statement about it.

The article claims that the data requires "special equipment" to retrieve the data - some comfort, I guess, unless that special equipment isn't just a DAT drive and a backup program.

I wouldn't call their measures "proactive", as did the Marriott spokesperson, but the company seems to be reasonably open about it.

-h-

Re:why do they have SSNs for customers?

[llefler]

They need to keep your SSN for tax purposes. Depending on your agreement, the loan to 'buy' your timeshare is considered a mortgage. So they need to report interest to the IRS. Not to mention, a credit agency is going to use your SSN to avoid simple name collisions.

As far as keeping your credit card number, they could be requiring it to cover maintenance fees or it's possible customers are automatically having their loan payments charged to their credit card. I do that with a couple of my monthly expenses so I don't have to write a check. (having both electronic withdrawals and automatic billing to credit cards, I prefer the latter)

While I suppose you can get around these by buying the timeshare outright, and prepaying maintenance fees, most customers do not want to do that.

Re:why do they have SSNs for customers?

[lazlo]

I've argued with my boss several times that we should dump the SSN and just keep a few hashes instead (md5/sh1/whatever). He doesn't like that idea for valid reasons (mainly compatibility with other systems that don't know shit about a hashed SSN).

I could be wrong about this, but here's another reason to think of. Hashing the SSN's in the database doesn't raise the bar much for ID thieves. There are 1G possible SSN's. According to my calculations (and the output of "openssl speed md5"), calculating and storing the MD5 of all of them would take my computer about 30 minutes and would take up about 20GB of drive space. After which, looking up an ssn from the hash would be fairly easy.

My first thought was "add some salt", but SSN's aren't passwords (although they're used like passwords fairly often), they're indexes. So if I've got info on my John Doe, and want to see what info you have on that same John Doe, unless we happened to use the same salt we're screwed.

The only solution I can see would be to use deterministic salt. store the MD5 of, for instance, the person's SSN.DOB. That would make it so that the problem for the attacker is (assuming he only cares about people 18-65 years old) 17,155 times harder. So now the database is over 300 TB, and it takes a year to calculate (on my machine). But it means that everyone has to start collecting DOB (which they mostly do anyway - but it would now be necessary) and would have to agree to use MD5(SSN.DOB) as a person's identifier. Thinking about it, that might not be so bad... But it'll still take an act of God or congress to get everyone to start doing it. And I'm guessing God might be more likely.

Re:why do they have SSNs for customers?

[Halfbaked+Plan]

Not to mention, a credit agency is going to use your SSN to avoid simple name collisions.

Maybe in your world it's okay for SSN's to be routinely dancing around in credit agency computers to prevent 'simple name collisions' but not in mine.

They're in big trouble if the only 'tag' they have to distinguish between customers is the SSN. There aren't that many cases where people with a common street address have the same exact name. They can use Zipcode+4 if they really have that shaky a system that they need a distingushing number to use.

Re:why do they have SSNs for customers?

[Martin+Blank]

They're providing free credit monitoring services to those affected. That's more proactive than most companies, who usually do little more than notify the affected people.

And THAT is why...

[Winlin]

I stayed in a Holiday Inn Express last night.

Great.

[User+956]

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million. That should stop those crooks!

Re:Great.

[dc29A]

Why is the job of Homeland Security to secure the data storage of a random company? Start putting out heavy fines on companies who fail to securely store customer data and the problem will go away. Right now there is no "incentive" for companies to keep personal data stored safely. A little PR can take care of a hack.

Companies need to be held liable for the safety and security of their customer's data. The problem then will go away.

Re:Great.

[User+956]

Companies need to be held liable for the safety and security of their customer's data. The problem then will go away.

I'm hearing you. I think the way the SSN system works with the financial system is horribly inefficient, insecure, and pront to abuse. But you need to cover both ends. Security on the front end, and proper policing on the back end. Cutting the DHS budget certainly isn't going to help-- especially when hundreds of millions are allocated for projects like the bridge to nowhere.

Re:Great.

[dangitman]

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million. That should stop those crooks!

Given the lack of competence of DHS, eliminating their funding can only be a good thing. They only seem to make things worse, and haven't really shown any evidence of being effective at doing anything other that waste money and erode civil liberties.

Re:Great.

[gasjews]

Can we say inefficient and bloated government administration?

I always vote down school tax proposals becuase our local school system has yet to manage to improve the quality of education or teaching while managing to find all sorts of things to spend money on like new toys for the administration to play with, overpriced school complexes (65 million dollars for a school that reasonably holds 3000 at best?), marketing campaigns, etc.

DHS doesn't need more money. They need to be smart. Unfortunately, bureaucracies are just an extension of modern democracy and modern democracies are largely incapable of meaningful consensus or leadership.

Re:Great.

[Dhalka226]

I'm glad the Department of Homeland Security has had their budget cut to $16 million.

That's misleading. Their RESEARCH budget for CYBERSECURITY is cut to $16 million, and that's only down 7% from last year, which means under $2 million in cuts.

You can argue it should be higher if you wish, but don't make it sound like the entire DHS--or even cybercrime enforcement in general--is funded that sparsely.

Re:Great.

[Ravatar]

That won't necessarily eliminate carelessness on the companies' part. If the fine is less than the cost to properly secure the data, nothing will change.

The only group that benefits in this case is the government.

Re:Great.

[Jeff+DeMaagd]

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million.

Is this a real budget cut, or a cut in projected increases?

Government budget cuts are the most preposterous lies I've seen in a long time. Say the next year's budget is slated to increase 8%. Let's just say that increase is reduced to 4%. Politicians, pundits and media people can then claim (or complain of) a 4% cut, despite that in reality, it was still an increase, the cut was from an imaginary budget that was never enacted. I wish my pay suffered a government budget cut.

Oh thank you thank you thank you!

[rleesBSD]

Now wifey will never know.

Re:Identify theft a fad?

[MaineCoon]

Back in ancient days (pre-500 AD for example), it was not a rare thing for vaguely look-alike, or not even look-alike people, to claim to be someone famous/important in a village or town where nobody could invalidate the claim (or those who would validate it were being duped or willing participants).

This is a quite old crime. The difference is that now identity theft of everyday people can be lucrative, and you don't even need to look like them or deal with tricking others. And you don't have to worry about being lynched or stoned, just going to jail.

This kind of thing keeps happening...

[dlaur]

Let me ask a simple question: Why don't they encrypt this stuff?

Re:This kind of thing keeps happening...

[HermanAB]

No, only the *reporting* of leaks will stop instantly...

Re:This kind of thing keeps happening...

> A single block error could render an entire encrypted archive useless.

Huh? Where in the world did you come-up with that?

That would only be true if your encryption uses CBC (Cipher Block Chaining) mode. That's where you XOR each block with the ciphertext of the previous block. An error in one block affects that block and every subsequent block like you describe.

When you use ECB (Electronic Code Book), the regular DES algorithm, you encrypt each 64-bit block independently. Errors only affect the data in the block containing the error. This is the faster and easier to implement than CBC mode so it's what a lot of products use.

I've seen a couple of companies play around with using encryption on their backups, but they stopped for the same reason I've seen more intentionally not use it. You don't want to pull-out a tape from a library and not be able to read it. Do you really want to keep-up with a list of passwords for a decade or more? Would you want to be the IT director someone that has to tell a CEO that the $250k you've spent on backup tapes and storage costs was for naught since you can't read the tape? I saw a CTO fired for exactly that.

Of course since I'm responding to a register user, I'll be marked as a troll or flamebait so this response will never be read. I don't know why I bother posting on this cesspool. Posts like the one I'm replying to that are just plain wrong are given points, but the best posts are given -1's if they're from people that aren't logged-in.

Re:Lost != Stolen

[quarkscat]

Be afraid. Be very afraid.

Considering the time of year, no doubt some Marriott PHB who was looking for some extra X-Mas cash decided to "sell their list". While many companies have absolutely no qualms about selling customer information (AKA creating a new "profit center"),
I am more inclided to believe that the backup tapes were lost or stolen, rather than a conscious effort to create a new corporate profit center.

Then again, John Poindexter's "Total Information Awareness" project (entirely DoD databases) was morphed into "MATRIX", which was designed to make use of multiple commercial (and commercially available) databases. So, perhaps, it was was merely an "extra patriotic" Marriott employee.

Considering recent events in the news (non-FISA approved wiretapping), perhaps one possibility is just as scary as the other...

Hats off to Marriott

[TheFlyingGoat]

Many companies out there wouldn't even know if their tapes had been misplaced or lost. At 3 companies I've worked for, we've had tapes lying around in managers' offices and server rooms, many that contain information that could be used for identity theft.

Marriott has handled this correctly and deserves some credit for doing so. At least they're not trying to cover it up like some companies would.

Re:Hats off to Marriott

[humphrm]

Umm, I hate to say it, but a tape missing since last November constitutes a cover-up. Marriott only came out and admitted to the loss because their internal investigation turned up nothing.

ABN Amro lost a tape with my data on it. The news was out that week. DHL found it, and even though the news agencies didn't cover it much, I got a follow-up letter from ABN Amro AND they extended the free credit tracking service from 3 months to 1 year.

Marriott on the other hand waited over a month before they even notified the Secret Service, for crying out loud.

No kudos to Marriott for this one. They're lucky that their month-long cover-up isn't criminal (yet).

fraud monitoring

[spoonyfork]

I'm glad to read Marriot is offering credit fraud monitoring to the affected people like how Ford offered to its employees when they recently lost 70,000 employee/retiree SSNs. Unless it is lifetime monitoring I fail to see the long term value.

Wait a second, why don't the credit bureaus offer free lifetime credit fraud monitoring to everyone in the first place?

Secret Service?

[moosesocks]

Forgive me for being uninformed, but why would the Secret Service be the agency responsible for investigating this type of incident?

Unless Valerie Plame had a timeshare.....

Re:Secret Service?

[rritterson]

The Secret Service also serves as the branch of law enforcement that investigates financial fraud and counterfeiting. From The Secret Service web page:

"The Secret Service also investigates violations of laws relating to counterfeiting of obligations and securities of the United States; financial crimes that include, but are not limited to, access device fraud, financial institution fraud, identity theft, computer fraud; and computer-based attacks on our nation's financial, banking, and telecommunications infrastructure."

Re:Lost != Stolen

[nolife]

Security through obscurity in not a reliable form of security. You have to pay for that obscurity by having a one off system that is not supported and you pay through the nose to keep it running reliably in your enterprise. A standard LTO3 backup tape is almost $100, imagine what some specialized tape would cost when your company is the only one buying them.
Basically, you pay a lot of money for some unknown amount of obscurity and reliability that has not been tested by more then a few people. Not cost effective at all when compared to standard equipment coupled with good security practices like accounting, tracking, and encryption. Is there even an enterprise backup system sold in the last few years that does not support some type of encryption?

IT is a cost center, not a revenue generator. Trying to squeeze security hardware, software, or better practices into IT budgets and manpower is a hard and normally plays out some combination of two ways.

Proactive and shot down -
IT managers have a hard time getting others outside of IT to listen to potential issues. This changes rapidly after a breach and IT managers may be replaced.

Coast and milk -
IT managers do not even want to bring up or even know about things like security because doing things the way they have always been has worked so far and makes the technical part of the manager job easier. Why rock the boat? That system was in place when I got here and we've been doing it this way for years and certainly "they" up there no about it so I'll go with the flow. That method of brown nosing and coasting with your other manager peers for a while typcially leads to the unemployment line with a knife in your back after a security breach! As it should IMHO.

That's nothing...

AC for obvious reasons...

I work the front desk at a competing 4-star hotel chain. I work the night shift ($10/hr to sit there babysitting the desk and reading/fiddling on my laptop, great job for students ;-)). Anyway, the first day, FIRST DAY! I was working there I had access to all the back-up tapes for the past month with every guests name, address, phone number, what government agency/corporation they work for, and CC#'s/expiration dates. The tapes are all sitting in a filing cabinet in the front office.

So many people touch the tapes, front desk staff/accounting/reservations/IT, that if one went missing it would be impossible to track back to an individual. What's more, if I just picked up my own tape and made a dupe at night in 35 minutes while I'm there alone nobody would ever know.

This is a 400 room hotel in a major U.S. city, access to literally tens of thousands of names, addresses and associating credit card numbers, all for filling out a standard job application that I may or may not have filled out accurately. Unbelievable.

Re:That's nothing...

[imipak]

Sadly all too believable. As you move out of education into the real commercial world you'll notice this sort of crap happens routinely, virtually everywhere you look. Word of advice: be careful how you go about it if you try to raise such things with management. It's rare that you'll get thanked for it, because they will have to spend time & money on fixing stuff that in their eyes, doesn't need fixing. Go read Bruce Schneier's writings about externalities (CryptoGrams passim). He's been harping on about this sort of thing for years - how the cost of security isn't borne by the ones responsible for fixing stuff, so they have no incentive to do so. How you fix this sort of things is something of a topic in economics. I guess Wikipedia'll have something too, come to think of it, hmmm where's my other tab...

This is why apparently lame legislative and regulatory setups can be a good thing. Certs such as ISO17799, Sarbanes-Oxley, HIPAA, NIST etc etc actually connect how well a company does with how secure it is. Much of security that would seem like common-sense no-brainers to most of us are actually not worth the org's time and money. (Of course then you get into risk management topics, and quantifying risks, which is very hard to do. How likely is it that your 150 staff, who all use Internet Explorer, will get infected with a drive-by trojan? If they use Firefox? What about Firefox on OS/X? Now, how do you back up your intuitive answers with emperical evidence from the real world?

Fancy a career in infosec? It's a lot more fun than it sounds, actually ;)

I am REALLY starting to think

[ScrewMaster]

that if these large corporations can't be trusted to play with their computers safely, maybe they should have them taken away. At the very least, I think some adult supervision should be required by law. And if that doesn't work, send them back to using typewriters and filing cabinets.

Some private data loss statistics

[michaelaiello]

Lists of incidents

• http://www.privacyatchoicepoint.com/common/pdfs/Da tadisclosures2005.pdf
• http://www.privacyrights.org/ar/ChronDataBreaches. htm

A report (with pretty graphs) from a recent financial engineering class. Data was from Feb to Sep 2005...
The 83 recorded loss events were categorized by loss event type and by industry sector. The data is relevant over 232 days. This yields a probability of a loss event occurring in any sector on any given day 35.7%. If only events affecting financial services institutions are counted, the probability is 7.5%.

http://privacydata.michaelaiello.com/paper.pdf

Bring forth the math corrections

I don't know...

[Chabil+Ha']

and maybe I'm just ignorant, but WHY DON'T THEY ENCRYPT ALL THAT INFORMATION WHEN IT LEAVES THE MAIN DATA WAREHOUSE? It seems to me that by encrypting its contents, you put some security around it should it be lost/stolen/etc. Can anyone explain why this isn't done?

Re:I don't know...

[Vellmont]

If you encrypt a database backup and there is an error on the tape, the backup could easily be useless.

Only under certain modes of block cyphers. If you use an electronic code book mode of a block cipher you only lose the block with the error on it. It's not as secure of course, but it's a lot better than nothing.

Re:Lost != Stolen

[MichaelSmith]

All backups should be done on VERY obscure hardware

In a previous job we did all our backups on nine track tape. Older backups were impossible to read because the magnetic coating would just stick to the read head.

Nobody was going to steal that data!

They offer self-service

[lorcha]

They don't do free monitoring, but if you're willing to do the legwork of monitoring yourself, you can monitor your credit file yourself, free of charge. clicky

ENCRYPTION!!!!

[carlislematthew]

I'm getting fed up of these irresponsible companies backing up sensitive data with NO ENCRYPTION. We're talking about International companies here, sending plain-text data around on tapes. Sometimes, companies have been caught sending tapes through UPS!

It's realistic to expect that there is sensitive data out there - the answer is not to say "don't store my SSN", although that should certainly be restricted.

It seems to me that the answer is ENCRYPTION! Encrypt the data and you can back it up on fucking postcards and send it to my grandmother for all I care..

Use a stream cipher

[Myria]

When backing up, generate a random "tape" key. Encrypt this "tape key" using a block cipher and your official key. Store the encrypted tape key several times at several locations on the tape. The locations of the key must be known without needing to read the tape to find them.

With that set up, encrypt the main contents of the tape with a stream cipher (say, RC4) with the tape key.

This way, damage to a certain area of the tape will not result in a complete loss of data. Using a random key for each tape eliminates the big cryptographic no-no of using a stream cipher key twice.

Melissa

Famous Last Words

[TallMatthew]

IT Manager: "Datasafe's here to pick up the backup tapes."

Marriott soon-to-be-ex SA: "Um, didn't they already come this week?"