Marriott Says 500 million Starwood Guest Records Stolen in Massive Data Breach

An anonymous reader writes: Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach. The hotel and resorts giant said in a statement filed with U.S. regulators that the "unauthorized access" to its guest database was detected on or before September 10 -- but may have dated back as far as 2014. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014," said the statement. "Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it."

Specific details of the breach remain unknown. We've contacted Starwood for more and will update when we hear back. The company said hat it obtained and decrypted the database on November 19 and "determined that the contents were from the Starwood guest reservation database." Some 327 million records contained a guest's name, postal address, phone number, date of birth, gender, email address, passport number, Starwood's rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.

Ding, ding, ding

I'm a winner again in the data breach sweepstakes. I feel special.

Re:Ding, ding, ding

Don't know why you bother being an AC here.....your details are all over the web.

Re:Ding, ding, ding

[Lucas123]

You're not special. They lost more records than there are people in the U.S., Canada and Mexico combined. This wasn't a data breach, it was a data dump. We need laws the punish these... ahem, irresponsible companies.

Oopsie

[war4peace]

Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

Re:Oopsie

[war4peace]

No, they are saying there are 500 million RECORDS, but, of course, Tech Crunch turned that into "customers" and Slashdot copy/pasted as always.

Re:Oopsie

[DarkRookie2]

Their problem not mine.
Either secure your shit with modern tools, or burn down the current system completely and start from scratch.

These will not stop happening unless some punishment is added.

Re:Oopsie

Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

Nothing will EVER top the OPM data breach of security clearance applications.

Address and CC number? Meh. OPM basically handed China the entire database of every cleared U.S. military or civilian person. Who they are. Where they work. What they do. Rank. Title. Clearance. ALL their dirty laundry. Crimes, convicted or not. Medical. Mental health. Finances. Drug use. Alcohol use. Foreign travel. Associations. Family (complete with SSN's for all!). Job history.

And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.

Re:Oopsie

[DarkRookie2]

$500 per record is not that severe.
COPPA is worse.

It is going to come out that they either didn't patch like they are suppose to or left something open.

Re:Oopsie

[mnemotronic]

Are they competing for Guinness World Record holder? Yahoo got top spot... until now.

Nothing will EVER top the OPM data breach ...

And I got was this lousy t-shirt! ... I mean a year of free credit monitoring. Yay.

Whoa. Dude. You got a t-shirt? Well I'm miffed. I'm getting the free MyIdcare.com credit monitoring. For the past couple years the only alerts I've gotten are for sexual predators moving into the neighborhood.

Re:Oopsie

[sacrilicious]

OPM basically handed China the entire database of every cleared U.S. military or civilian person.

Clarification: this quote is easily mis-read to mean "every cleared military person or civilian person", whereas it actually means "every military or civilian person who had a clearance", as wikipedia says the number of people affected was 21 million (a very significant number, just not nearly as massive as the population of the US).

My question is...

[thomn8r]

Why are the storing all that data in the first place?

Re:My question is...

[enjar]

It's pretty routine information for a hotel to have on file. Imagine you were running a hotel ... what would you want to know about your customers?

• When they are coming. You need to know how many rooms are booked to schedule staff, etc.
• Who they are so you can verify them when they show up (name, address, DOB, etc)
• How to contact them if you need to. For example, a water pipe bursts making the hotel uninhabitable and you need to let them know.
• Passport number would be important for international visitors (and might be required by law)
• Past reservation history allows you to alert them of sales, promotions, discounts for a place they have stayed a lot
• Rewards number and balance is necessary for room upgrades, etc

Re:My question is...

[bugs2squash]

It's a problem of degrees. Name: yes, Phone number: good idea, Address: maybe, Credit card number: no - the card company can process that, DOB - wtf ? Drivers license number, Passport number - really ! They help themselves to all this information because there is no liability attached to it whatsoever and it helps them collect debts and it can be sold.

This is a problem entirely of their own making and they should be held accountable. A monster fine may well drive one of them out of business, but it sure as hell will make the other hotels more careful, and a bunch of hotel properties come on the market for someone else to run - it's not like a draconian fine would put an end to the hotel business, but it might put an end to the "let's just ask for his SSN while we're at it" business.

Isn't enough enough already? How do we fix this?

[Rick+Schumann]

It seems pretty clear to me that 'data security' doesn't exist, and any data stored anywhere that isn't literally air-gapped is fair game for any script-kiddie with an Internet connection (and even then, air-gapped doesn't exclude you from 'social engineering' and phishing attacks). So how do we fix this? Is it really just a matter of humans being careless, and we need a judicial (perhaps a literal use of the word) application of the Clue-by-Four to administrators and executives? Or are the programmers and systems administrators to blame?

Last I heard around here, it's entirely likely that nothing is safe, not critical infrastructure systems, not even military systems. So what the actual fuck needs to happen, here? How do we fix this?

oh - s that's who owns that DB on AWS !!

[ripvlan]

Security researchers have been looking for years to see who owns certain "open" shared databases on AWS.

Apparently Marriot just stepped forward to claim ownership.

Now that our data is effectively out in the open - there is little to identity us from a trustworthy source. I wonder how banks (et al) are changing to address this. Seriously - if a bank or cellphone company called me to ask where my payment is, I'd ask them to prove "I" opened the account.

My data has been leaked multiple times. Ticketfly, Anthem, Marriott, Experian, and others I can't remember. (plus Amazon leaked my email address -- via a bug in their "forgot password" feature that returned an error message if the account didn't exist, which I reported to them... thank you... still waiting for my $$$).

So what data isn't public? Now that everything is public, nothing is private (If everyone is Super, then no-one is)