Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marriott Says Hackers Stole More Than 5 Million Passport Numbers (cnet.com)

Posted by msmash on from the security-woes dept.

Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic. The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests. From a report: Even at that lower figure, the Marriott incident remains one of the largest personal data breaches in history, more than double that of Equifax, which exposed the personal data of 147.7 million American. Data breaches have become a common issue for massive companies that collect and store information on millions of people. In 2018, tech giants like Facebook and Reddit have fallen victim to data breaches. Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.

11 of 71 comments (clear)

  1. Sue them senseless by nospam007 · · Score: 3, Insightful

    They deserve it.

    1. Re:Sue them senseless by TheGratefulNet · · Score: 3, Informative

      just WHY does a hotel need to know your PASSPORT number?

      that boggles the mind.

      yesterday, I was talking to an indian friend and we were talking about privacy and how much info you are willing to give out. I give out NOTHING unless its really needed; he gives anything you ask. he didn't even understand why it would be a problem to not give out info. I think in india, they are so programmed into following the rules and not challenging authority. when they come here, they continue doing the same and the companies that invade your privacy probably LOVE this.

      as an american, born and raised here, I continue to explain WHY you want to say no to almost all info request and to limit who gets what, but its an uphill battle. the 'Ive done nothing wrong...' argument is still strong with many kinds of people and we need to change this FAST or we'll continue to supply data to bad guys, who will wield it over us. (btw, the bad guys include local governments; they also can't be trusted with all the info we give them).

      many foreigners don't understand even even born/raised americans are still not getting it. we need to change this but I'm not sure how we can teach people responsible 'info mgmt' behavior. with one breach after another, even that is not enough to show people that they need to say no to data from corps.

      --

      --
      "It is now safe to switch off your computer."
    2. Re:Sue them senseless by froggyjojodaddy · · Score: 4, Insightful

      I *think* it's because some countries/jurisdictions require the hotel to capture certain details, including the passport number. So they're obligated to get it, but clearly they didn't think ahead and actually store that data appropriately

      Actually, what's more likely is:

      Boss We need to capture Passport info to be in compliance with blah, blah
      DB admin/Developer No problem, we need a secure database back end with limited access, auditing capability, and secure.....
      Boss No, what? No! We don't have money or time for that. Just make it happen
      DB admin/Developer But this goes against every principle of data management and storage. What if I just...
      Boss Listen, you're making this overly complicated OK? We're not going to get hacked, just put in an exclamation mark in the regular password I use, Ok?

      A few months later, they get hacked. Developer bears the brunt of the fallout. Boss goes on a nice vacation courtesy of the huge bonus he received a few months prior for "implementing a method to remain compliant with blah, blah law"

    3. Re:Sue them senseless by religionofpeas · · Score: 4, Insightful

      The problem is not giving out your passport number. The problem is that some people/businesses consider a passport number to be an authentication device.

    4. Re: Sue them senseless by houghi · · Score: 2

      I went to these countries. I went to the identical hotel after a week. They saud hello, called be by my name said "we have the same room for you" and asked for my pasport again, because they DID NOT KEPT THE DATA.

      Not happened in even one country or in chain of hotels. Due to reasons I had to travel a lot in the last two years.

      Saving that data is nit obligatory. It happens on request of the lazy customer who can notwait 30 seconds to reach his minibar.

      --
      Don't fight for your country, if your country does not fight for you.
  2. Some data should be stored offline by davidwr · · Score: 3

    If the law requires you to collect data that you don't need for business purposes, don't store it on a connected computer.

    Scan the passport with a non-networked scanner but store the image on the scanner itself or offline for as long as the law requires, then delete it.

    Make sure that the scans are encrypted and that they can only be decrypted with a key held off-site by corporate security. That way a clerk can't bulk-copy the scans that are stored on-site.

    There is still one hole that can't be fixed: Any clerk that handles a particular passport can make a surreptitious copy for his own use using his own camera. If he has a photographic memory, he can just memorize it. The damage from this method is a lot less than a bulk-data-compromise.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Some data should be stored offline by TechyImmigrant · · Score: 3, Interesting

      My wife's business collects sensitive information - E.G. credit card info for billing customers, but there's quite a bit else. After going through the options, we decided that this stuff would get written in a book. If hackers got in, they wouldn't find much of value to them.

      The cost is you have to punch in the numbers into the card machine when fulfilling order. The saving is a reduction in PCI-DSS scam audits to pay for and peace of mind.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Re:nothing will happen by b0s0z0ku · · Score: 2

    Using a passport for ID is common in Europe, less so in the US. Sounds like Marriot is due for a good fucking from EU countries, which actually have and enforce privacy laws.

  4. This could be useful by gnasher719 · · Score: 3, Interesting

    The U.K. government has plans that you need to supply a passport number soon to watch porn. What an opportunity: 5 million passport numbers that you can sell one each to five million privacy-conscious Brits who donâ(TM)t want their porn habits leaked.

  5. Marriott tried to block cell communications right? by 140Mandak262Jamuna · · Score: 2
    Didn't they use jammers to prevent people in their conference halls from getting wireless data and thus they could be charged for WiFi?

    Suing Marriott will hurt the present stock owners. Need to put a few executives who approved and supervised the data centers, even if they have resigned from the company, in jail. Only then they will take security seriously. As it stands now, they cash in and leave before the shit hits the fan making bag holders out of shareholders.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. Re:Marriott tried to block cell communications rig by b0s0z0ku · · Score: 3, Informative

    Marriot also owns Doubletree -- recently a Black man was ejected from a Doubletree in Portland for not interrupting a phone call with his family to "prove" that he was a guest there. Never mind that he showed his room key to the hotel's rent-a-cop, apparently that wasn't enough.