Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marriott Says 500 million Starwood Guest Records Stolen in Massive Data Breach (techcrunch.com)

Posted by msmash on from the Data-Breach dept.

An anonymous reader writes: Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach. The hotel and resorts giant said in a statement filed with U.S. regulators that the "unauthorized access" to its guest database was detected on or before September 10 -- but may have dated back as far as 2014. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014," said the statement. "Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it."

Specific details of the breach remain unknown. We've contacted Starwood for more and will update when we hear back. The company said hat it obtained and decrypted the database on November 19 and "determined that the contents were from the Starwood guest reservation database." Some 327 million records contained a guest's name, postal address, phone number, date of birth, gender, email address, passport number, Starwood's rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.

71 comments

  1. Ding, ding, ding by Anonymous Coward · · Score: 4, Funny

    I'm a winner again in the data breach sweepstakes. I feel special.

    1. Re:Ding, ding, ding by Anonymous Coward · · Score: 2, Funny

      Don't know why you bother being an AC here.....your details are all over the web.

    2. Re:Ding, ding, ding by Lucas123 · · Score: 2

      You're not special. They lost more records than there are people in the U.S., Canada and Mexico combined. This wasn't a data breach, it was a data dump. We need laws the punish these... ahem, irresponsible companies.

  2. Oopsie by war4peace · · Score: 4, Funny

    Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    1. Re:Oopsie by DarkRookie2 · · Score: 1

      Let see. I think companies should be fined a minimum of $500 per user record lost. Unless its a true 0-day

      So there should be fined, $250,000,000,000.

      --
      http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    2. Re:Oopsie by Anonymous Coward · · Score: 1

      So they are saying Starwood has stored data for 500 million "customers". Isn't that ~6.4% of the world population? Sounds fishy to me.

    3. Re:Oopsie by pslytely+psycho · · Score: 1

      I thought Equifax was king...

      --
      Donald Trump, on a crusade to make Nixon look respectable
    4. Re:Oopsie by Anonymous Coward · · Score: 0

      There wouldn't be any companies left. Just sayin'. Nobody could remain in business with penalties that severe. That's like saying a speeding ticket should result in summary execution.

    5. Re:Oopsie by war4peace · · Score: 4, Interesting

      No, they are saying there are 500 million RECORDS, but, of course, Tech Crunch turned that into "customers" and Slashdot copy/pasted as always.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    6. Re:Oopsie by DarkRookie2 · · Score: 4, Insightful

      Their problem not mine.
      Either secure your shit with modern tools, or burn down the current system completely and start from scratch.

      These will not stop happening unless some punishment is added.

      --
      http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    7. Re:Oopsie by Anonymous Coward · · Score: 5, Informative

      Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

      Nothing will EVER top the OPM data breach of security clearance applications.

      Address and CC number? Meh. OPM basically handed China the entire database of every cleared U.S. military or civilian person. Who they are. Where they work. What they do. Rank. Title. Clearance. ALL their dirty laundry. Crimes, convicted or not. Medical. Mental health. Finances. Drug use. Alcohol use. Foreign travel. Associations. Family (complete with SSN's for all!). Job history.

      And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.

    8. Re: Oopsie by Anonymous Coward · · Score: 0

      Unlikely even then. This will keep happening because you geeks cannot get your shit together. Stop worrying about left wing politics and start getting your jobs done. Blame placed squarely on the shoulders of those who code this shit.

    9. Re:Oopsie by pak9rabid · · Score: 1

      ...or just don't offer the convenience provided by computerized systems at all because suddenly it's too cost prohibitive to use them. No system is 100% secure, and eventually things like this will happen. Making the penalties so severe that it makes financial sense to simply not use these types of systems will ensure that dealing with these companies is way shittier than it it now.

    10. Re: Oopsie by Anonymous Coward · · Score: 0

      Please mod parent up. This has had ramifications so bad we will never know the cost.

    11. Re: Oopsie by Anonymous Coward · · Score: 0

      That's kind of the point. If you can't keep the data secure then your business should no longer exist.

      It's clear that companies don't really care. These breaches are happening with increasing frequency.

      Something needs to change. I like the idea of a fine in the realm of $300 per account.

    12. Re:Oopsie by Anonymous Coward · · Score: 0

      It wouldn't be a problem for you if the economy tanked? Somehow I doubt it...

    13. Re:Oopsie by Anonymous Coward · · Score: 0

      It is your problem unless you live in a remote cabin in the mountains completely off the grid and grow your own food and make your own clothes and tools.

    14. Re: Oopsie by Anonymous Coward · · Score: 0

      Well this would force companies to provide more jobs.

    15. Re:Oopsie by slickwillie · · Score: 1

      So they are saying Starwood has stored data for 500 million "customers". Isn't that ~6.4% of the world population? Sounds fishy to me.

      I thought it seemed a bit high too so I checked . According to

      https://www.statista.com/statistics/247310/number-of-starwood-hotels-and-resorts-hotel-rooms-worldwide/

      " This statistic shows the number of Starwood Hotels and Resorts hotel rooms worldwide from 2009 to 2016. There were more than 339 thousand Starwood Hotels and Resorts hotel rooms worldwide as of January 1, 2014. "

      That's a lot of rooms. Starwood includes many hotel brands.

    16. Re:Oopsie by DarkRookie2 · · Score: 2

      $500 per record is not that severe.
      COPPA is worse.

      It is going to come out that they either didn't patch like they are suppose to or left something open.

      --
      http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    17. Re: Oopsie by Anonymous Coward · · Score: 0

      This will not happen because dumbasses like the parent I'm responding to don't realize that it is not possible to write the entire software stack from the OS all the way up, write your own apps, and write the software that powers the storage and network infrastructure all by yourself — and to do half of that securely. If a device is on the internet, it is not secure. End of story. Dipshits like to make snarky comments about how easy it is to secure everything — but they never offer solutions. In reality it is nearly impossible. You can only make it more secure than the next guy.

    18. Re:Oopsie by mnemotronic · · Score: 2

      Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

      Nothing will EVER top the OPM data breach ...

      And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.

      Whoa. Dude. You got a t-shirt? Well I'm miffed. I'm getting the free MyIdcare.com credit monitoring. For the past couple years the only alerts I've gotten are for sexual predators moving into the neighborhood.

      --
      The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
    19. Re:Oopsie by sacrilicious · · Score: 2

      OPM basically handed China the entire database of every cleared U.S. military or civilian person.

      Clarification: this quote is easily mis-read to mean "every cleared military person or civilian person", whereas it actually means "every military or civilian person who had a clearance", as wikipedia says the number of people affected was 21 million (a very significant number, just not nearly as massive as the population of the US).

      --
      - First they ignore you, then they laugh at you, then ???, then profit.
    20. Re:Oopsie by Calydor · · Score: 1

      Wow. Suddenly the number went from unbelievable to "1000 customers per hotel over X number of years". I almost got whiplash from that change in perception.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    21. Re:Oopsie by MooseTick · · Score: 1

      "Let see. I think companies should be fined a minimum of $500 per user record lost. Unless its a true 0-day"

      That sounds great until how you define a record. Does a receipt you don't take at McDonald's for a shake that ends up on the floor count as a lost record? And how do you define and qualify a "true 0-day"? And why $500?

      If you did have fines like this, you would be the one paying for the increased security because Marriott or whoever would have to spend millions and maybe billions to ensure this never happened and that money has to come from somewhere.

      --
      Ninjas don't carry tic tacs
  3. My question is... by thomn8r · · Score: 3, Interesting

    Why are the storing all that data in the first place?

    1. Re:My question is... by Anonymous Coward · · Score: 0

      They pay for Oracle and need to justify it use to the CTO?

      RMAN in Oracle Database 10g Best Practices for Maximum Bene
      https://www.oracle.com/technetwork/database/.../starwood-rman-casestudy-130625.pd...

    2. Re:My question is... by Anonymous Coward · · Score: 1

      Because companies think data is the new oil.
      The more they have, the more they can use it to make $$$

    3. Re:My question is... by enjar · · Score: 4, Insightful
      It's pretty routine information for a hotel to have on file. Imagine you were running a hotel ... what would you want to know about your customers?
      • When they are coming. You need to know how many rooms are booked to schedule staff, etc.
      • Who they are so you can verify them when they show up (name, address, DOB, etc)
      • How to contact them if you need to. For example, a water pipe bursts making the hotel uninhabitable and you need to let them know.
      • Passport number would be important for international visitors (and might be required by law)
      • Past reservation history allows you to alert them of sales, promotions, discounts for a place they have stayed a lot
      • Rewards number and balance is necessary for room upgrades, etc
    4. Re:My question is... by Anonymous Coward · · Score: 1

      There are legal record keeping requirements for hotels.

    5. Re:My question is... by thomn8r · · Score: 1

      And they need all this years after the customer has left?

    6. Re:My question is... by bugs2squash · · Score: 2

      It's a problem of degrees. Name: yes, Phone number: good idea, Address: maybe, Credit card number: no - the card company can process that, DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.

      This is a problem entirely of their own making and they should be held accountable. A monster fine may well drive one of them out of business, but it sure as hell will make the other hotels more careful, and a bunch of hotel properties come on the market for someone else to run - it's not like a draconian fine would put an end to the hotel business, but it might put an end to the "let's just ask for his SSN while we're at it" business.

      --
      Nullius in verba
    7. Re:My question is... by AmiMoJo · · Score: 1

      Past reservation history allows you to alert them of sales, promotions, discounts for a place they have stayed a lot

      Another reason that you should adopt some GDPR like laws. Not storing personal info just because they think they can make a buck from it, they have to have a legitimate business reason or get your explicit permission.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:My question is... by enjar · · Score: 1

      Could be a legal requirement for the area the hotel is located in. Some countries are creepier than others.

    9. Re:My question is... by AndrewFlagg · · Score: 1

      we have all seen this .... working on a project and the found that the developer stored customer data in the clear in flat files including social security numbers, credit card numbers, even worse on a public facing server and directory and more.. i was shocked and told the client.. what an idiot. for goodness sake folks any kind of obfuscation is recommended.. any will be better than data in the clear i had to get the owners of another project to explain to me why the DOB had to be collected and they wanted to know their age.. i said, then say "age" like 35, 50, 18, etc... you are going throwing a birthday party for this member or sending them a birthday card... come on folks... and passwords are a thing of the past for me some 10 years ago.. don't store and save anything other than their email address and call it good.. don't even store what they did.. just make catch their email to send them a receipt....and even then you don't need that.. but something to help them.. know their product/service is on its way or still a member.. that's it.. done.. anyone else want to add...

    10. Re:My question is... by AndrewFlagg · · Score: 1

      all i can say is NOPE NADA NOT NEEDED to all your statements. there is a simpler way to give a great customer experience and keep them confidentially staying at your hotel, motel. i do like the fact you laid out the obvious for a systems analyst to ask a client how they want to make a great customer experience.. remember.. you can get to your ends by other means without all that stored data.. front desk employee -- customer unique identifier, start, end, and the front desk doesn't even need to know room # that could be received from a 2nd party and keep the front desk from privacy violations from another 3rd party.. make it very hard for a 3rd and 4th party to get all your data from one place.... TGIF

    11. Re:My question is... by enjar · · Score: 1

      Agreed, there should be more transparency on what data is collected, how long it's retained, what it's used for, and the ability to opt out of data collection. That's also the reasoning behind the "contact preference" field mentioned in the OP. This is probably where they are storing the opt-in preferences to stay in compliance with the CAN-SPAM act.

      In terms of the "why are they storing such things?", though, this list of stuff isn't exactly earth shattering in terms of what a hotel would store about a customer. It's not like they had DNA, a retinal scan, and a urine sample on file.

    12. Re:My question is... by PrimaryConsult · · Score: 1

      I was a Starwood member, and can fill in a few reasons/things:
      Address: To send the membership card and some legally required mailings, not to mention verify billing address
      Credit Card Number: Storing this was always optional, and like anywhere you save payments it is a convenience/security tradeoff.
      DOB: I don't remember ever providing that
      Drivers License, Passport number: Nope, never provided those either, even for international bookings or bookings involving parking fees.

    13. Re:My question is... by bugs2squash · · Score: 1

      I often get asked for ID when I check in, not when I make a booking. I suspect they harvest the information then.

      --
      Nullius in verba
    14. Re:My question is... by Anonymous Coward · · Score: 1

      In Europe it's likely a legal requirement *not* to do that now. As far as I can see "legitimate interest" and "performance of contract" pretty much ends when the bill is settled and the room not trashed.

    15. Re:My question is... by thegarbz · · Score: 1

      And they need all this years after the customer has left?

      Where do you get this from? The 2014 figure is how far back the breach may have been occurring, not how much it stores.

      Based on what shows up in the app, I can see only the past 24 months worth.

    16. Re:My question is... by thegarbz · · Score: 1

      DOB - wtf

      Legal requirement in many countries.

      Drivers license number, Passport number - really !

      Legal requirement in MOST countries.

      If there isn't a legal requirement then they help themselves to keep their database standard.

      This is a problem entirely of their own making and they should be held accountable.

      The breach is a problem of their own making. The fact that they had to collect this information is not.

    17. Re:My question is... by bugs2squash · · Score: 1

      MOST countries maybe - but do you know that they need to collect this in the USA ? What's driving that requirement, Homeland security ?

      --
      Nullius in verba
    18. Re:My question is... by PrimaryConsult · · Score: 1

      Forgot about that. I can see where they might grab the passport info [they ask to make a copy], but the driver's license domestically they just look at the picture (I usually don't even need to take it out of the wallet).

    19. Re:My question is... by Calydor · · Score: 1

      Name definitely.
      Phone number definitely, as GP said contacting customers in an emergency can be necessary.
      Address comes along with ID verification, also for sending membership cards etc. Most people likely sign up voluntarily.
      Credit card saved for most guests as that will allow direct access to room service, mini-fridge in the room etc. Few would insist on having to whip out the card every single time.
      Date of birth falls under ID verification and is usually printed on driver's license or passport which is what you'll be showing to prove that your name actually IS John Smith.

      Never underestimate the amount of data people are both required to hand over and will voluntarily hand over in the interest of luxury.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    20. Re:My question is... by gravewax · · Score: 1

      DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.

      That information is a legal requirement to be collected in many countries for foreign travellers, it isn't something they do because they want to.

    21. Re:My question is... by thegarbz · · Score: 1

      MOST countries maybe - but do you know that they need to collect this in the USA ? What's driving that requirement, Homeland security ?

      Answered in the third sentence of my post.

    22. Re:My question is... by MooseTick · · Score: 1

      If you get points for staying in their hotels, they have to track that somehow.

      --
      Ninjas don't carry tic tacs
  4. Much stiffer penalties by DaMattster · · Score: 1

    In order to prevent this from happening, there needs to be much stiffer penalties for incidents like this. I am not talking financial ones but criminal ones. Subject the entire senior management to arrest and criminal prosecution for failing to take reasonable safeguards against incidents like this. Then you watch how serious IT departments will take information security.

    1. Re:Much stiffer penalties by Anonymous Coward · · Score: 1

      In order to prevent this from happening, there needs to be much stiffer penalties for incidents like this. I am not talking financial ones but criminal ones. Subject the entire senior management to arrest and criminal prosecution for failing to take reasonable safeguards against incidents like this. Then you watch how serious IT departments will take information security.

      It will not happen and should not happen. The problem is the IT guys have to be perfect 100% of the time, while the bad guys only have to be right once. Can you honestly state that you have ever made it through a day without making a single error of any kind?

    2. Re:Much stiffer penalties by Anonymous Coward · · Score: 0

      Its starting to make me wonder how many of these data breaches are actually accidental.

      "We could make a ton of money selling our customer data, but our customers would be very displeased if we did it openly, so howabout if you 'gift' us several million & i accidentally leave the passwords to all our servers here on the table & go to the bathroom for awhile."

    3. Re:Much stiffer penalties by Anonymous Coward · · Score: 0

      Its about the magnitude of the mistake.

      Pilots are human too & make mistakes all the time.. the trick is not to make the mistake that gets everybody killed.

  5. Oh, I wonder what the punishment will be by Anonymous Coward · · Score: 0

    My guess is - no punishment at all. Companies now know that they don't have to spend any money on data security, since there won't be any consequences when they get hacked.

  6. IBM by Bigbutt · · Score: 1

    I think that was the contract I was on when I worked at IBM years ago. I was managing IRS and TSA security servers for the first year but managing the servers was outsourced to India so I switched to a 100% telecommute contract with Starwood.

    Regardless, working 100% was pretty much hell as every communication was business only and very strict so there was no camaraderie amongst the team. It pretty much killed any desire to telecommute after that.

    [John]

    --
    Shit better not happen!
  7. Hacked in 2016 too! didn't learn anything by Anonymous Coward · · Score: 0

    Hacked in 2016 too!
    Time for new management since they clearly didn't learn from that mistake.

  8. Never give out your real card number by Anonymous Coward · · Score: 1

    That's two breach headlines this week. These happen so often it's ridiculous. This is why you should never use your real card number for anything.

    For online I always advocate to use PayPal, Visa Checkout, Masterpass or other similar payment system where you do not provide your card number to the merchant. If they don't support any this is where I would use a Privacy virtual debit card number. This uses disposable debit card numbers so that you don't have to worry about it being reused after a breach. I've been using it for about 6 months and love it. Shameless referral link with $5 back: https://privacy.com/join/JWVHW

    And of course there is always the compromised POS systems. Keep using chip, NFC, MST, gift cards and cash, people. Never swipe a real card in store nor give out your real card number online!

  9. This will never stop - It is a basic truth! by Anonymous Coward · · Score: 0

    People claiming we need stiffer penalties, more prosecution, more feet to the fire.
    Fine, do all of that. Still wont change the fact that computer systems will continue to be hacked/breached/accessed without authorization or consent.

    It is just how things are.
    It is a basic truth of any system.

    Life - death and taxes
    Legal - only true winners are the lawyers
    computers (hardware & software) - if you build it it will be exploited

    Even the scientist are getting into the action - bio-engineering anyone.

    Basically, if someone feels they can make something better than it is or exploit it for some sort of gain, they will do it.

    I just don't understand why any of these breach stories are even a surprise anymore.

    As a math guy I see this whole "problem" as derivatives and limits, and we approaching 0 when it comes to what we know as the identification & financial systems. These systems, as we know them, are slowly approaching 0 value and there will be an event horizon from which these systems will implode.

    1. Re:This will never stop - It is a basic truth! by Anonymous Coward · · Score: 0

      Agreed. So are we supposed to do nothing then?

    2. Re:This will never stop - It is a basic truth! by Anonymous Coward · · Score: 0

      Sigh. *If* the penalties are much more severe *then* companies will spend more money on security *and* these instances will be rarer.

      You seem to be deploying the pathetic "security is hard and can't be perfect so there's no point in trying" argument.

  10. Another breach!... by SCVonSteroids · · Score: 1

    ... and STILL nobody truly gives a shit. Until their identities get stolen.

    --
    I tend to rant.
  11. Wouln't have happened if they used blockchain by Anonymous Coward · · Score: 0

    More companies need to convert to blockchain systems to prevent this sort of hacking.

  12. Time to legislate not compiling data by Anonymous Coward · · Score: 0

    Time to legislate not being legally allowed to keep data for longer than needed for a transaction.

    We simply cannot keep data safe - so why keep it longer than needed at all?

  13. Isn't enough enough already? How do we fix this? by Rick+Schumann · · Score: 2

    It seems pretty clear to me that 'data security' doesn't exist, and any data stored anywhere that isn't literally air-gapped is fair game for any script-kiddie with an Internet connection (and even then, air-gapped doesn't exclude you from 'social engineering' and phishing attacks). So how do we fix this? Is it really just a matter of humans being careless, and we need a judicial (perhaps a literal use of the word) application of the Clue-by-Four to administrators and executives? Or are the programmers and systems administrators to blame?

    Last I heard around here, it's entirely likely that nothing is safe, not critical infrastructure systems, not even military systems. So what the actual fuck needs to happen, here? How do we fix this?

  14. Carry an abbreviated ID by Anonymous Coward · · Score: 0

    I carry an abbreviated ID, a color printed scanner copy of my driver's license that has the date of birth, license number, and another ID number blanked out. It has printed on the top:

    Numbers removed to protect against identify theft
    You can view license in my hand to verify authenticity

    Here is a mockup picture of the license:
    https://i.imgur.com/yReDmAx.pn...

    If any business establishment will not accept it, wants to make a photo copy of my real license, or wants to copy information off the origional, I refuse and they loose my business. I do not let them view the real license in my hand long enough for them to copy data off of it.

        I purchased something at BestBuy once and they asked to see my driver's license. He looked at it and then subtly held it down by a camera and photo copied it. This abbreviated system stops them from taking such privileges with my documents.

  15. I know who did it .... by IsThisNickTaken · · Score: 1

    I've been getting some wonderful spam telemarketing calls telling about wonderful vacation opportunities based on being selected as a Marriott or Wyndham customer.

    The spammers are behind the break in or bought the list from the hackers who broke in.

  16. oh - s that's who owns that DB on AWS !! by ripvlan · · Score: 2

    Security researchers have been looking for years to see who owns certain "open" shared databases on AWS.

    Apparently Marriot just stepped forward to claim ownership.

    Now that our data is effectively out in the open - there is little to identity us from a trustworthy source. I wonder how banks (et al) are changing to address this. Seriously - if a bank or cellphone company called me to ask where my payment is, I'd ask them to prove "I" opened the account.

    My data has been leaked multiple times. Ticketfly, Anthem, Marriott, Experian, and others I can't remember. (plus Amazon leaked my email address -- via a bug in their "forgot password" feature that returned an error message if the account didn't exist, which I reported to them... thank you... still waiting for my $$$).

    So what data isn't public? Now that everything is public, nothing is private (If everyone is Super, then no-one is)

  17. A MÃÃse once bit my sister by Thud457 · · Score: 1

    Those responsible for sacking the people who have just been sacked have been sacked.

    Obviously they have no institutional memory and haven't learned from their past mistakes.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  18. We keep hearing "500 million customers" but... by BenJeremy · · Score: 1

    It's really 500 million RECORDS. That's a big difference... that's still a lot, but the number of different people actually involved in the breach is likely much, much lower.

    Also, we keep hearing "going back to 2014" - which means somebody was accessing it back then, not that that represents the oldest information.

    I really can't stand the ambiguity/imprecision of these sort of reports.