Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marriott Says Hackers Stole More Than 5 Million Passport Numbers (cnet.com)

Posted by msmash on from the security-woes dept.

Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic. The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests. From a report: Even at that lower figure, the Marriott incident remains one of the largest personal data breaches in history, more than double that of Equifax, which exposed the personal data of 147.7 million American. Data breaches have become a common issue for massive companies that collect and store information on millions of people. In 2018, tech giants like Facebook and Reddit have fallen victim to data breaches. Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.

38 of 71 comments (clear)

  1. They weren't stolen by Anonymous Coward · · Score: 1

    A hacker tricked the reservation computer into thinking they were uber-platinum-elite guests, and the hotel concierge put the data on a gold-encrusted USB stick in their welcome bag.

  2. Sue them senseless by nospam007 · · Score: 3, Insightful

    They deserve it.

    1. Re:Sue them senseless by TheGratefulNet · · Score: 3, Informative

      just WHY does a hotel need to know your PASSPORT number?

      that boggles the mind.

      yesterday, I was talking to an indian friend and we were talking about privacy and how much info you are willing to give out. I give out NOTHING unless its really needed; he gives anything you ask. he didn't even understand why it would be a problem to not give out info. I think in india, they are so programmed into following the rules and not challenging authority. when they come here, they continue doing the same and the companies that invade your privacy probably LOVE this.

      as an american, born and raised here, I continue to explain WHY you want to say no to almost all info request and to limit who gets what, but its an uphill battle. the 'Ive done nothing wrong...' argument is still strong with many kinds of people and we need to change this FAST or we'll continue to supply data to bad guys, who will wield it over us. (btw, the bad guys include local governments; they also can't be trusted with all the info we give them).

      many foreigners don't understand even even born/raised americans are still not getting it. we need to change this but I'm not sure how we can teach people responsible 'info mgmt' behavior. with one breach after another, even that is not enough to show people that they need to say no to data from corps.

      --

      --
      "It is now safe to switch off your computer."
    2. Re:Sue them senseless by froggyjojodaddy · · Score: 4, Insightful

      I *think* it's because some countries/jurisdictions require the hotel to capture certain details, including the passport number. So they're obligated to get it, but clearly they didn't think ahead and actually store that data appropriately

      Actually, what's more likely is:

      Boss We need to capture Passport info to be in compliance with blah, blah
      DB admin/Developer No problem, we need a secure database back end with limited access, auditing capability, and secure.....
      Boss No, what? No! We don't have money or time for that. Just make it happen
      DB admin/Developer But this goes against every principle of data management and storage. What if I just...
      Boss Listen, you're making this overly complicated OK? We're not going to get hacked, just put in an exclamation mark in the regular password I use, Ok?

      A few months later, they get hacked. Developer bears the brunt of the fallout. Boss goes on a nice vacation courtesy of the huge bonus he received a few months prior for "implementing a method to remain compliant with blah, blah law"

    3. Re:Sue them senseless by OffTheLip · · Score: 1

      I have stayed at a number of hotels in Eastern Europe, central Asia and the middle east where your passport was required at check-in. I assume they scanned it into their system.

    4. Re:Sue them senseless by holophrastic · · Score: 1

      Because we don't teach people, in kindergarten, not to give out their personal information to anyone who asks for it.

      Oh wait, we do. We say: "don't talk to strangers" and we say "don't put your name on your backpack" and we say "don't tell strangers where you live".

      okay, let's rephrase:

      Because we don't teach adults to remember what they learned in kindergarten.

      Oh wait, we do. We say: "everything important, I learned in kindergarten".

      okay, let's rephrase:

      because people are idiots. I blame radio shack. they're the one's that started all of this.

      so the solution is the same as it's always been. we get to wait until the problem is big enough, and then we get to regulate. yay!

      hey marriott, you aren't allowed to hold any customer data for more than a week past the end of their stay. you don't need it.

    5. Re:Sue them senseless by b0s0z0ku · · Score: 1

      The advantage of Eastern Europe and central Asia is that some money can sometimes change hands and pesky requirements for things like passports will go byebye.

    6. Re:Sue them senseless by b0s0z0ku · · Score: 1

      If you plan ahead a bit, you can use Craigslist or similar short-term rental sections. Much less intrusive than things like AirBnB since it's essentally an anonymous transaction.

    7. Re:Sue them senseless by geggam · · Score: 1

      Certain countries require you give your passport information to the hotel

    8. Re:Sue them senseless by religionofpeas · · Score: 4, Insightful

      The problem is not giving out your passport number. The problem is that some people/businesses consider a passport number to be an authentication device.

    9. Re:Sue them senseless by DickBreath · · Score: 1

      > They deserve it.

      It's not ONLY that they deserve it. (which they do!)

      It's that the only way to fix this is to make it way more expensive to get hacked than it would be to prevent getting hacked. Maybe with a side order of jail time for senior executives.

      And you don't sue them senseless. You sue some sense into them.

      For extra security, the security staff should wear the t-shirts inside out to protect the root password from public view. Thank you, the management.

      --

      I'll see your senator, and I'll raise you two judges.
    10. Re:Sue them senseless by BitterOak · · Score: 1

      I *think* it's because some countries/jurisdictions require the hotel to capture certain details, including the passport number.

      Which countries/jurisdictions? I'd honestly like to know so I can avoid them.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    11. Re:Sue them senseless by thegarbz · · Score: 1

      just WHY does a hotel need to know your PASSPORT number?

      Legal requirements for serving foreigners in most countries in the world combined with the concept of having a common database for guests rather than a unstructured garbled mess.

      many foreigners don't understand even even born/raised americans are still not getting it.

      Many foreigners live in countries where your entire life doesn't get royally screwed up just because someone knows your 9 digit number.

    12. Re:Sue them senseless by AHuxley · · Score: 1

      Different nations have police registration for tourists. This allows police to quickly track everyone in their nation as they are citizens/approved tourists/ people allowed to be in that nation.

      --
      Domestic spying is now "Benign Information Gathering"
    13. Re: Sue them senseless by houghi · · Score: 2

      I went to these countries. I went to the identical hotel after a week. They saud hello, called be by my name said "we have the same room for you" and asked for my pasport again, because they DID NOT KEPT THE DATA.

      Not happened in even one country or in chain of hotels. Due to reasons I had to travel a lot in the last two years.

      Saving that data is nit obligatory. It happens on request of the lazy customer who can notwait 30 seconds to reach his minibar.

      --
      Don't fight for your country, if your country does not fight for you.
    14. Re: Sue them senseless by houghi · · Score: 1

      The probleem is that people want it. They like to get the 30 seconds of nit handing over their passport.

      --
      Don't fight for your country, if your country does not fight for you.
    15. Re:Sue them senseless by 0111+1110 · · Score: 1

      I can't use AirBnB because it requires me to photograph my passport but it never accepts the result. It rejects the passport image every single time I try it. Maybe it requires a $700 phone camera. My phone only cost $160. I wonder how many potential customers they have lost because their phone is not a high end flagship with a Leica lens.

      --
      Quite an experience to live in fear, isn't it? That's what it is to be a slave.
  3. Track Down and Kill... by Anonymous Coward · · Score: 1

    ...All Hackers, Virus creators. etc.

    Why is it no resources are ever expended on finding these people and instead spent on an ever expanding effort to block them?

    "You steal shit, and we will come for you" should be the motto of law enforcement. Not, "Steal shit and I'll buy newer locks".

    1. Re:Track Down and Kill... by DickBreath · · Score: 1

      Try this: Offer a bounty / reward program for information leading to the arrest of the hackers. If you make it high enough, you will attract the time and attention of people with sufficient expertise to track them down.

      Yes, it may sound like outsourcing police work. But if it works, and doesn't require lots of donuts, then I don't see a problem with it.

      --

      I'll see your senator, and I'll raise you two judges.
    2. Re:Track Down and Kill... by godel_56 · · Score: 1

      ...All Hackers, Virus creators. etc.

      Why is it no resources are ever expended on finding these people and instead spent on an ever expanding effort to block them?

      "You steal shit, and we will come for you" should be the motto of law enforcement. Not, "Steal shit and I'll buy newer locks".

      The perpetrators of APTs (Advanced Persistent Threats) are the employees of major enemy governments such as Russia, China, and North Korea and they are resident in their home countries. So you go get 'em, boy.

  4. WHY do you need my passport number?????? by Anonymous Coward · · Score: 1

    When did hotels become customs and immigration officers? Why are you recording the information from my drivers license and passport? Why do you need my email address and mobile phone number?????? Why do you need the registration information of my rental car??????

    1. Re:WHY do you need my passport number?????? by b0s0z0ku · · Score: 1

      I can understand the driver's license or passport info -- if you cause damage to the hotel and your card doesn't cover it, they want to know who to bill.

    2. Re:WHY do you need my passport number?????? by Local+ID10T · · Score: 1

      OK. I'll bite and try to give real answers.

      When did hotels become customs and immigration officers?

      They are not.

      Why are you recording the information from my drivers license and passport?

      Because the law requires it.

      Why do you need my email address and mobile phone number??????

      To contact you. Email is for non-urgent communications -e.g. reservation confirmations and copies of your bill (and likely for marketing spam). Mobile phone is for urgent communications -e.g. (water leak / fire / burglary) affecting your room and possessions while you were out.

      Why do you need the registration information of my rental car??????

      To identify which cars in the parking lot are from registered guests. Perhaps there was an accident involving a parked car -would you rather get a call from the front desk, or just be surprised when you go to leave? Perhaps there was a hit & run, and the police tracked the car to this hotel...

      --
      "You want to know how to help your kids? Leave them the fuck alone." -George Carlin
  5. nothing will happen by Anonymous Coward · · Score: 1

    no fines, no one jailed, nothing. business will continue as usual

    It's as if PCI compliance does not exist. Well it doesn't, no one gets in trouble for shit.

    Fuck PCI compliance with a big rubber dick.

    1. Re:nothing will happen by b0s0z0ku · · Score: 2

      Using a passport for ID is common in Europe, less so in the US. Sounds like Marriot is due for a good fucking from EU countries, which actually have and enforce privacy laws.

  6. Why? by Anonymous Coward · · Score: 1

    Why does a hotel chain store passport numbers of its guests? Even if they legitimately do need the information for some reason, shouldn't it be deleted after a short period of time?

    1. Re:Why? by b0s0z0ku · · Score: 1

      Because they can and don't have to delete it -- so their systems are set up not to. It should be really deleted after a few days, after it's proven that there's no damage to the hotel from guests.

  7. Easier said than done by DogDude · · Score: 1

    In the US, a lawsuit is, minimum, $100K.

    --
    I don't respond to AC's.
  8. Some data should be stored offline by davidwr · · Score: 3

    If the law requires you to collect data that you don't need for business purposes, don't store it on a connected computer.

    Scan the passport with a non-networked scanner but store the image on the scanner itself or offline for as long as the law requires, then delete it.

    Make sure that the scans are encrypted and that they can only be decrypted with a key held off-site by corporate security. That way a clerk can't bulk-copy the scans that are stored on-site.

    There is still one hole that can't be fixed: Any clerk that handles a particular passport can make a surreptitious copy for his own use using his own camera. If he has a photographic memory, he can just memorize it. The damage from this method is a lot less than a bulk-data-compromise.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Some data should be stored offline by TechyImmigrant · · Score: 3, Interesting

      My wife's business collects sensitive information - E.G. credit card info for billing customers, but there's quite a bit else. After going through the options, we decided that this stuff would get written in a book. If hackers got in, they wouldn't find much of value to them.

      The cost is you have to punch in the numbers into the card machine when fulfilling order. The saving is a reduction in PCI-DSS scam audits to pay for and peace of mind.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Some data should be stored offline by thegarbz · · Score: 1

      Holy crap can you come up with any more complicated and expensive to run and maintain system? I'm sure Marriott would rather go bankrupt due to fines and being sued rather than high overhead costs of ill conceived security measures.

  9. This could be useful by gnasher719 · · Score: 3, Interesting

    The U.K. government has plans that you need to supply a passport number soon to watch porn. What an opportunity: 5 million passport numbers that you can sell one each to five million privacy-conscious Brits who donâ(TM)t want their porn habits leaked.

  10. Marriott tried to block cell communications right? by 140Mandak262Jamuna · · Score: 2
    Didn't they use jammers to prevent people in their conference halls from getting wireless data and thus they could be charged for WiFi?

    Suing Marriott will hurt the present stock owners. Need to put a few executives who approved and supervised the data centers, even if they have resigned from the company, in jail. Only then they will take security seriously. As it stands now, they cash in and leave before the shit hits the fan making bag holders out of shareholders.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  11. Stop storing my damn information. by Anonymous Coward · · Score: 1

    Stop storing my damn information.

  12. Re:LOL by b0s0z0ku · · Score: 1

    DL actually gives the snooping assholes more information than a passport -- passport doesn't have an address on it, so you can lie about your home address if you want to give as little info as possible.

  13. Re:Marriott tried to block cell communications rig by b0s0z0ku · · Score: 3, Informative

    Marriot also owns Doubletree -- recently a Black man was ejected from a Doubletree in Portland for not interrupting a phone call with his family to "prove" that he was a guest there. Never mind that he showed his room key to the hotel's rent-a-cop, apparently that wasn't enough.

  14. Marriott also has physical security issues by schwit1 · · Score: 1

    https://www.youtube.com/watch?...

    For your own protection in mat be better to stay someplace else.

  15. Re:5 million x $1,000 fine each, ouch by FormOfActionBanana · · Score: 1

    It's not 5 million. 500 million.

    --
    Take off every 'sig' !!