Marriott Says 500 million Starwood Guest Records Stolen in Massive Data Breach (techcrunch.com)

← Back to Stories (view on slashdot.org)

Marriott Says 500 million Starwood Guest Records Stolen in Massive Data Breach (techcrunch.com)

Posted by msmash on Friday November 30, 2018 @02:50AM from the Data-Breach dept.

An anonymous reader writes: Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach. The hotel and resorts giant said in a statement filed with U.S. regulators that the "unauthorized access" to its guest database was detected on or before September 10 -- but may have dated back as far as 2014. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014," said the statement. "Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it."

Specific details of the breach remain unknown. We've contacted Starwood for more and will update when we hear back. The company said hat it obtained and decrypted the database on November 19 and "determined that the contents were from the Starwood guest reservation database." Some 327 million records contained a guest's name, postal address, phone number, date of birth, gender, email address, passport number, Starwood's rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.

49 of 71 comments (clear)

Min score:

Reason:

Sort:

Ding, ding, ding by Anonymous Coward · 2018-11-30 02:53 · Score: 4, Funny

I'm a winner again in the data breach sweepstakes. I feel special.
1. Re:Ding, ding, ding by Anonymous Coward · 2018-11-30 05:20 · Score: 2, Funny
  
  Don't know why you bother being an AC here.....your details are all over the web.
2. Re:Ding, ding, ding by Lucas123 · 2018-11-30 08:01 · Score: 2
  
  You're not special. They lost more records than there are people in the U.S., Canada and Mexico combined. This wasn't a data breach, it was a data dump. We need laws the punish these... ahem, irresponsible companies.
Oopsie by war4peace · 2018-11-30 02:56 · Score: 4, Funny

Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

--
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
1. Re:Oopsie by DarkRookie2 · 2018-11-30 03:00 · Score: 1
  
  Let see. I think companies should be fined a minimum of $500 per user record lost. Unless its a true 0-day
  
  So there should be fined, $250,000,000,000.
  
  --
  http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
2. Re:Oopsie by Anonymous Coward · 2018-11-30 03:09 · Score: 1
  
  So they are saying Starwood has stored data for 500 million "customers". Isn't that ~6.4% of the world population? Sounds fishy to me.
3. Re:Oopsie by pslytely+psycho · 2018-11-30 03:12 · Score: 1
  
  I thought Equifax was king...
  
  --
  Donald Trump, on a crusade to make Nixon look respectable
4. Re:Oopsie by war4peace · 2018-11-30 03:18 · Score: 4, Interesting
  
  No, they are saying there are 500 million RECORDS, but, of course, Tech Crunch turned that into "customers" and Slashdot copy/pasted as always.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
5. Re:Oopsie by DarkRookie2 · 2018-11-30 03:35 · Score: 4, Insightful
  
  Their problem not mine.
  Either secure your shit with modern tools, or burn down the current system completely and start from scratch.
  
  These will not stop happening unless some punishment is added.
  
  --
  http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
6. Re:Oopsie by Anonymous Coward · 2018-11-30 03:44 · Score: 5, Informative
  
  Are they competing for Guinness World Record holder? Yahoo got top spot... until now.
  Nothing will EVER top the OPM data breach of security clearance applications.
  Address and CC number? Meh. OPM basically handed China the entire database of every cleared U.S. military or civilian person. Who they are. Where they work. What they do. Rank. Title. Clearance. ALL their dirty laundry. Crimes, convicted or not. Medical. Mental health. Finances. Drug use. Alcohol use. Foreign travel. Associations. Family (complete with SSN's for all!). Job history.
  And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.
7. Re:Oopsie by pak9rabid · 2018-11-30 04:00 · Score: 1
  
  ...or just don't offer the convenience provided by computerized systems at all because suddenly it's too cost prohibitive to use them. No system is 100% secure, and eventually things like this will happen. Making the penalties so severe that it makes financial sense to simply not use these types of systems will ensure that dealing with these companies is way shittier than it it now.
8. Re:Oopsie by slickwillie · 2018-11-30 05:11 · Score: 1
  
  So they are saying Starwood has stored data for 500 million "customers". Isn't that ~6.4% of the world population? Sounds fishy to me.
  I thought it seemed a bit high too so I checked . According to
  
  https://www.statista.com/statistics/247310/number-of-starwood-hotels-and-resorts-hotel-rooms-worldwide/
  
  " This statistic shows the number of Starwood Hotels and Resorts hotel rooms worldwide from 2009 to 2016. There were more than 339 thousand Starwood Hotels and Resorts hotel rooms worldwide as of January 1, 2014. "
  
  That's a lot of rooms. Starwood includes many hotel brands.
9. Re:Oopsie by DarkRookie2 · 2018-11-30 05:14 · Score: 2
  
  $500 per record is not that severe.
  COPPA is worse.
  
  It is going to come out that they either didn't patch like they are suppose to or left something open.
  
  --
  http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
10. Re:Oopsie by mnemotronic · 2018-11-30 08:25 · Score: 2
  
  Are they competing for Guinness World Record holder? Yahoo got top spot... until now.
  Nothing will EVER top the OPM data breach ...
  And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.
  Whoa. Dude. You got a t-shirt? Well I'm miffed. I'm getting the free MyIdcare.com credit monitoring. For the past couple years the only alerts I've gotten are for sexual predators moving into the neighborhood.
  
  --
  The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
11. Re:Oopsie by sacrilicious · 2018-11-30 09:18 · Score: 2
  
  OPM basically handed China the entire database of every cleared U.S. military or civilian person.
  Clarification: this quote is easily mis-read to mean "every cleared military person or civilian person", whereas it actually means "every military or civilian person who had a clearance", as wikipedia says the number of people affected was 21 million (a very significant number, just not nearly as massive as the population of the US).
  
  --
  - First they ignore you, then they laugh at you, then ???, then profit.
12. Re:Oopsie by Calydor · 2018-11-30 09:22 · Score: 1
  
  Wow. Suddenly the number went from unbelievable to "1000 customers per hotel over X number of years". I almost got whiplash from that change in perception.
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
13. Re:Oopsie by MooseTick · 2018-12-04 04:40 · Score: 1
  
  "Let see. I think companies should be fined a minimum of $500 per user record lost. Unless its a true 0-day"
  That sounds great until how you define a record. Does a receipt you don't take at McDonald's for a shake that ends up on the floor count as a lost record? And how do you define and qualify a "true 0-day"? And why $500?
  If you did have fines like this, you would be the one paying for the increased security because Marriott or whoever would have to spend millions and maybe billions to ensure this never happened and that money has to come from somewhere.
  
  --
  Ninjas don't carry tic tacs
My question is... by thomn8r · 2018-11-30 03:03 · Score: 3, Interesting

Why are the storing all that data in the first place?
1. Re:My question is... by Anonymous Coward · 2018-11-30 03:25 · Score: 1
  
  Because companies think data is the new oil.
  The more they have, the more they can use it to make $$$
2. Re:My question is... by enjar · 2018-11-30 03:26 · Score: 4, Insightful
  It's pretty routine information for a hotel to have on file. Imagine you were running a hotel ... what would you want to know about your customers?
  
  When they are coming. You need to know how many rooms are booked to schedule staff, etc.
  Who they are so you can verify them when they show up (name, address, DOB, etc)
  How to contact them if you need to. For example, a water pipe bursts making the hotel uninhabitable and you need to let them know.
  Passport number would be important for international visitors (and might be required by law)
  Past reservation history allows you to alert them of sales, promotions, discounts for a place they have stayed a lot
  Rewards number and balance is necessary for room upgrades, etc
3. Re:My question is... by Anonymous Coward · 2018-11-30 03:37 · Score: 1
  
  There are legal record keeping requirements for hotels.
4. Re:My question is... by thomn8r · 2018-11-30 03:59 · Score: 1
  
  And they need all this years after the customer has left?
5. Re:My question is... by bugs2squash · 2018-11-30 04:02 · Score: 2
  
  It's a problem of degrees. Name: yes, Phone number: good idea, Address: maybe, Credit card number: no - the card company can process that, DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.
  This is a problem entirely of their own making and they should be held accountable. A monster fine may well drive one of them out of business, but it sure as hell will make the other hotels more careful, and a bunch of hotel properties come on the market for someone else to run - it's not like a draconian fine would put an end to the hotel business, but it might put an end to the "let's just ask for his SSN while we're at it" business.
  
  --
  Nullius in verba
6. Re:My question is... by AmiMoJo · 2018-11-30 04:13 · Score: 1
  
  Past reservation history allows you to alert them of sales, promotions, discounts for a place they have stayed a lot
  Another reason that you should adopt some GDPR like laws. Not storing personal info just because they think they can make a buck from it, they have to have a legitimate business reason or get your explicit permission.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
7. Re:My question is... by enjar · 2018-11-30 04:15 · Score: 1
  
  Could be a legal requirement for the area the hotel is located in. Some countries are creepier than others.
8. Re:My question is... by AndrewFlagg · 2018-11-30 04:16 · Score: 1
  
  we have all seen this .... working on a project and the found that the developer stored customer data in the clear in flat files including social security numbers, credit card numbers, even worse on a public facing server and directory and more.. i was shocked and told the client.. what an idiot. for goodness sake folks any kind of obfuscation is recommended.. any will be better than data in the clear i had to get the owners of another project to explain to me why the DOB had to be collected and they wanted to know their age.. i said, then say "age" like 35, 50, 18, etc... you are going throwing a birthday party for this member or sending them a birthday card... come on folks... and passwords are a thing of the past for me some 10 years ago.. don't store and save anything other than their email address and call it good.. don't even store what they did.. just make catch their email to send them a receipt....and even then you don't need that.. but something to help them.. know their product/service is on its way or still a member.. that's it.. done.. anyone else want to add...
9. Re:My question is... by AndrewFlagg · 2018-11-30 04:24 · Score: 1
  
  all i can say is NOPE NADA NOT NEEDED to all your statements. there is a simpler way to give a great customer experience and keep them confidentially staying at your hotel, motel. i do like the fact you laid out the obvious for a systems analyst to ask a client how they want to make a great customer experience.. remember.. you can get to your ends by other means without all that stored data.. front desk employee -- customer unique identifier, start, end, and the front desk doesn't even need to know room # that could be received from a 2nd party and keep the front desk from privacy violations from another 3rd party.. make it very hard for a 3rd and 4th party to get all your data from one place.... TGIF
10. Re:My question is... by enjar · 2018-11-30 04:25 · Score: 1
  
  Agreed, there should be more transparency on what data is collected, how long it's retained, what it's used for, and the ability to opt out of data collection. That's also the reasoning behind the "contact preference" field mentioned in the OP. This is probably where they are storing the opt-in preferences to stay in compliance with the CAN-SPAM act.
  In terms of the "why are they storing such things?", though, this list of stuff isn't exactly earth shattering in terms of what a hotel would store about a customer. It's not like they had DNA, a retinal scan, and a urine sample on file.
11. Re:My question is... by PrimaryConsult · 2018-11-30 04:42 · Score: 1
  
  I was a Starwood member, and can fill in a few reasons/things:
  Address: To send the membership card and some legally required mailings, not to mention verify billing address
  Credit Card Number: Storing this was always optional, and like anywhere you save payments it is a convenience/security tradeoff.
  DOB: I don't remember ever providing that
  Drivers License, Passport number: Nope, never provided those either, even for international bookings or bookings involving parking fees.
12. Re:My question is... by bugs2squash · 2018-11-30 04:46 · Score: 1
  
  I often get asked for ID when I check in, not when I make a booking. I suspect they harvest the information then.
  
  --
  Nullius in verba
13. Re:My question is... by Anonymous Coward · 2018-11-30 06:06 · Score: 1
  
  In Europe it's likely a legal requirement *not* to do that now. As far as I can see "legitimate interest" and "performance of contract" pretty much ends when the bill is settled and the room not trashed.
14. Re:My question is... by thegarbz · 2018-11-30 07:16 · Score: 1
  
  And they need all this years after the customer has left?
  Where do you get this from? The 2014 figure is how far back the breach may have been occurring, not how much it stores.
  Based on what shows up in the app, I can see only the past 24 months worth.
15. Re:My question is... by thegarbz · 2018-11-30 07:18 · Score: 1
  
  DOB - wtf
  Legal requirement in many countries.
  
  Drivers license number, Passport number - really !
  Legal requirement in MOST countries.
  If there isn't a legal requirement then they help themselves to keep their database standard.
  
  This is a problem entirely of their own making and they should be held accountable.
  
  The breach is a problem of their own making. The fact that they had to collect this information is not.
16. Re:My question is... by bugs2squash · 2018-11-30 07:53 · Score: 1
  
  MOST countries maybe - but do you know that they need to collect this in the USA ? What's driving that requirement, Homeland security ?
  
  --
  Nullius in verba
17. Re:My question is... by PrimaryConsult · 2018-11-30 07:55 · Score: 1
  
  Forgot about that. I can see where they might grab the passport info [they ask to make a copy], but the driver's license domestically they just look at the picture (I usually don't even need to take it out of the wallet).
18. Re:My question is... by Calydor · 2018-11-30 09:29 · Score: 1
  
  Name definitely.
  Phone number definitely, as GP said contacting customers in an emergency can be necessary.
  Address comes along with ID verification, also for sending membership cards etc. Most people likely sign up voluntarily.
  Credit card saved for most guests as that will allow direct access to room service, mini-fridge in the room etc. Few would insist on having to whip out the card every single time.
  Date of birth falls under ID verification and is usually printed on driver's license or passport which is what you'll be showing to prove that your name actually IS John Smith.
  Never underestimate the amount of data people are both required to hand over and will voluntarily hand over in the interest of luxury.
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
19. Re:My question is... by gravewax · 2018-11-30 11:44 · Score: 1
  
  DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.
  That information is a legal requirement to be collected in many countries for foreign travellers, it isn't something they do because they want to.
20. Re:My question is... by thegarbz · 2018-11-30 22:48 · Score: 1
  
  MOST countries maybe - but do you know that they need to collect this in the USA ? What's driving that requirement, Homeland security ?
  Answered in the third sentence of my post.
21. Re:My question is... by MooseTick · 2018-12-04 04:45 · Score: 1
  
  If you get points for staying in their hotels, they have to track that somehow.
  
  --
  Ninjas don't carry tic tacs
Much stiffer penalties by DaMattster · 2018-11-30 03:29 · Score: 1

In order to prevent this from happening, there needs to be much stiffer penalties for incidents like this. I am not talking financial ones but criminal ones. Subject the entire senior management to arrest and criminal prosecution for failing to take reasonable safeguards against incidents like this. Then you watch how serious IT departments will take information security.
1. Re:Much stiffer penalties by Anonymous Coward · 2018-11-30 03:41 · Score: 1
  
  In order to prevent this from happening, there needs to be much stiffer penalties for incidents like this. I am not talking financial ones but criminal ones. Subject the entire senior management to arrest and criminal prosecution for failing to take reasonable safeguards against incidents like this. Then you watch how serious IT departments will take information security.
  It will not happen and should not happen. The problem is the IT guys have to be perfect 100% of the time, while the bad guys only have to be right once. Can you honestly state that you have ever made it through a day without making a single error of any kind?
IBM by Bigbutt · 2018-11-30 03:42 · Score: 1

I think that was the contract I was on when I worked at IBM years ago. I was managing IRS and TSA security servers for the first year but managing the servers was outsourced to India so I switched to a 100% telecommute contract with Starwood.
Regardless, working 100% was pretty much hell as every communication was business only and very strict so there was no camaraderie amongst the team. It pretty much killed any desire to telecommute after that.
[John]

--
Shit better not happen!
Never give out your real card number by Anonymous Coward · 2018-11-30 04:18 · Score: 1

That's two breach headlines this week. These happen so often it's ridiculous. This is why you should never use your real card number for anything.
For online I always advocate to use PayPal, Visa Checkout, Masterpass or other similar payment system where you do not provide your card number to the merchant. If they don't support any this is where I would use a Privacy virtual debit card number. This uses disposable debit card numbers so that you don't have to worry about it being reused after a breach. I've been using it for about 6 months and love it. Shameless referral link with $5 back: https://privacy.com/join/JWVHW
And of course there is always the compromised POS systems. Keep using chip, NFC, MST, gift cards and cash, people. Never swipe a real card in store nor give out your real card number online!
Another breach!... by SCVonSteroids · 2018-11-30 04:44 · Score: 1

... and STILL nobody truly gives a shit. Until their identities get stolen.

--
I tend to rant.
Isn't enough enough already? How do we fix this? by Rick+Schumann · 2018-11-30 05:50 · Score: 2

It seems pretty clear to me that 'data security' doesn't exist, and any data stored anywhere that isn't literally air-gapped is fair game for any script-kiddie with an Internet connection (and even then, air-gapped doesn't exclude you from 'social engineering' and phishing attacks). So how do we fix this? Is it really just a matter of humans being careless, and we need a judicial (perhaps a literal use of the word) application of the Clue-by-Four to administrators and executives? Or are the programmers and systems administrators to blame?

Last I heard around here, it's entirely likely that nothing is safe, not critical infrastructure systems, not even military systems. So what the actual fuck needs to happen, here? How do we fix this?
I know who did it .... by IsThisNickTaken · 2018-11-30 08:51 · Score: 1

I've been getting some wonderful spam telemarketing calls telling about wonderful vacation opportunities based on being selected as a Marriott or Wyndham customer.
The spammers are behind the break in or bought the list from the hackers who broke in.
oh - s that's who owns that DB on AWS !! by ripvlan · 2018-11-30 08:52 · Score: 2

Security researchers have been looking for years to see who owns certain "open" shared databases on AWS.
Apparently Marriot just stepped forward to claim ownership.
Now that our data is effectively out in the open - there is little to identity us from a trustworthy source. I wonder how banks (et al) are changing to address this. Seriously - if a bank or cellphone company called me to ask where my payment is, I'd ask them to prove "I" opened the account.
My data has been leaked multiple times. Ticketfly, Anthem, Marriott, Experian, and others I can't remember. (plus Amazon leaked my email address -- via a bug in their "forgot password" feature that returned an error message if the account didn't exist, which I reported to them... thank you... still waiting for my $$$).
So what data isn't public? Now that everything is public, nothing is private (If everyone is Super, then no-one is)
A MÃÃse once bit my sister by Thud457 · 2018-11-30 08:59 · Score: 1

Those responsible for sacking the people who have just been sacked have been sacked.
Obviously they have no institutional memory and haven't learned from their past mistakes.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
We keep hearing "500 million customers" but... by BenJeremy · 2018-11-30 14:19 · Score: 1

It's really 500 million RECORDS. That's a big difference... that's still a lot, but the number of different people actually involved in the breach is likely much, much lower.
Also, we keep hearing "going back to 2014" - which means somebody was accessing it back then, not that that represents the oldest information.
I really can't stand the ambiguity/imprecision of these sort of reports.