SoylentNews is people
SoylentNews
Marriott Hack Hits 500 Million Guests:
The records of 500 million customers of the hotel group Marriott International have been involved in a data breach. The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party. It said an internal investigation found an attacker had been able to access to the Starwood network since 2014.
[...] Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an "unauthorised party had copied and encrypted information". It said it believed its database contained records of up to 500 million customers. For about 327 million guests, the information included "some combination" of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information. It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.
[...] The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.
The attacker had access since... 2014? To the records of half a billion customers? How many can invoke protections provided in GDPR (General Data Protection Regulation)?
Source: Marriott breach leaves 500 million exposed with passport, card numbers stolen
(Score: 5, Insightful) by iamjacksusername on Saturday December 01 2018, @03:02PM (8 children)
I repeat myself every time something like this happens. If there were statutory damages such as $10,000 per person per incident that could be filed for by each person, then companies would make damn sure these breaches never happened. It's just that there is no fiduciary feedback mechanism right now and that is the only thing companies respond to. Until there is a mechanism to make companies pay when breaches happen, it will never be fixed. Regulatory capture ensures that government enforcement mechanisms will never be meaningful.
(Score: 2, Insightful) by khallow on Saturday December 01 2018, @04:49PM (5 children)
It's probably going to cost Marriot on the order of several billion dollars since apparently credit card numbers were involved. I figure around two years of net income ($1.4 billion [marketwatch.com] in 2017). You decide whether that is adequate damages or not.
(Score: 3, Touché) by Anonymous Coward on Saturday December 01 2018, @04:59PM (4 children)
snort! Typical khallow...
As I read your link, that's just the cost to the breached company. How about the time and hassle of the customers that, as a minimum, need to get new cards/account numbers and then update all auto-pay accounts. Worst case, the customers suffer from identity-theft fraud which can take major time to unwind.
<sarcasm>Oh, and won't somebody think of the card companies, Mastercard/Visa/AmEx/Discover (etc).</sarcasm>
(Score: 2, Interesting) by khallow on Saturday December 01 2018, @05:04PM (3 children)
And? Point is even under the present environment, data breaches are substantial in cost contrary to initial assertion. Second, we're ignoring the other parties that have relevance here such as the finance industry and government, both who could do considerably more to reduce the cost of data breaches. Why is it fully the responsibility of Marriott when those credit card numbers and other information shouldn't be enough to cause identity-theft issues? There's a lot of sloppiness beyond.
(Score: -1, Flamebait) by Anonymous Coward on Saturday December 01 2018, @08:49PM
khallow and the Environment! Market solutions! Internalizing and reality-based accounting of externalities!
This is why khallow supports pricing carbon emissions to motivate corps to do something about Anthropogenic Global Warming!
That khallow! Pure libertarian genius, I say!
(Score: 2) by edIII on Saturday December 01 2018, @09:58PM (1 child)
I think it is because the costs you point out, which is a good thing to bring into the discussion, are insufficient. Those are costs of doing business that can be defrayed with appropriate insurance, passed back onto the consumer, and don't provide justice. In this case justice is sought for a crime that I don't think is fairly adjudicated here, and regardless, in order to provide real justice it has to be painful. Painful beyond the normal costs of business. More than that, people want to see the executives themselves suffer (you are aware of my proclivities) and be fined directly. In China, executives do suffer directly, and I think that goes a long way to mollifying the public.
I think there needs to be personal fines against the executives responsible. Not so much that there entire lives are destroyed and left paupers, but at least a few years salary. Barring that, direct fines to the shareholders through loss of interest to be divided up among the victims.
However, this may not always be fair. Even if you are PCI-DSS compliant, regularly update your software (part of the problem), encrypt your databases, and otherwise get an A+ from industry pentesters, you can get pwned. A lot of it is inside jobs. How fair is it to seek justice against the company when the company is standing with you as the victim? I say this because I'm responsible for the security in some of the things I do, and I take extreme measures. I'm not *that* confident that I could withstand a nation state or organized crime employing the latest zero days. It was just a couple days ago that we saw somebody slip malware into a javascript code repository. Just by updating the 3rd party software I use I can get fucked, and I'm strongly motivated to always update my software. All a douchebag has to do is flag it as a security update, and it if were really clever, probably have days having fun in protected networks before detection.
As long as justice includes a review by several pentesters that can testify I did do reasonably well under market conditions, I'm okay with more stringent measures against the company. That, and if we want to get serious we need to provide a government protected secure code repo for as many languages are possible. An FDA for algorithms, and a strong reliably way to authenticate code with hashes. The more we rely on that, we increase our attack surface elsewhere.
Seriously, it's easier to just find these people and kill them :) Let that be the punishment if society finds you screwing with their tech maliciously.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Sunday December 02 2018, @01:14AM
The key is to not collect all this information in the first place. Make sure you don't consolidate all your records in one place that don't need to be, and only locally store critical information rather than upload it to a master database. And don't forget to automatically remove information after a period of time that isn't equivalent to 'forever'. None of this copyright style 'limited time' bullshit that is so long as to be effectively 'unlimited' as the art it purports to advance becomes obsolete.
Only after you've done all of the above should you consider the security chain reasonable. The current approach of store all sorts of unnecessary things indefinitely in enormous databases can never be secure if the data is accessible to even a single employee.
(Score: 3, Insightful) by RandomFactor on Saturday December 01 2018, @10:56PM
I do too.
If there was direct executive liability for breaches due to negligence and poor practices, then information security would be taken far more seriously. Just making the company, and by extension the plebs in the company, pay fines (even huge ones), allows for a top level value calculation that shouldn't be acceptable.
.
As there is no such connection of the pain into the governance of the company (it's the company's money, and the customer's information, not the executives hide that suffers.) The C*s just yell at the security people after the fact and up the security budget for a while to buy an extra tool or two.
.
Now what form that liability needs to take can be debated, but it needs to be direct and personal.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Sunday December 02 2018, @12:05AM
Every time I check into a hotel I think over that they don't need my real name, DOB, address, credit card info. I know they have to protect themselves but they are a honeypot waiting to be robbed. Assholes.