SoylentNews is people
SoylentNews
Marriott Hack Hits 500 Million Guests:
The records of 500 million customers of the hotel group Marriott International have been involved in a data breach. The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party. It said an internal investigation found an attacker had been able to access to the Starwood network since 2014.
[...] Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an "unauthorised party had copied and encrypted information". It said it believed its database contained records of up to 500 million customers. For about 327 million guests, the information included "some combination" of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information. It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.
[...] The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.
The attacker had access since... 2014? To the records of half a billion customers? How many can invoke protections provided in GDPR (General Data Protection Regulation)?
Source: Marriott breach leaves 500 million exposed with passport, card numbers stolen
(Score: 2, Interesting) by Anonymous Coward on Saturday December 01 2018, @04:05PM (1 child)
These failures are and have been with the hotel since the 80's at a minimum. The hotel business is alwys comes out shocked that this happens, guess what...
One of best examples: Hong Kong in the late 80's, cards were "stolen" and clones on the streets with-in 1hr after check-in. The method was tapping the credit card processing center's modems. The traffic was sent unencrypted over dial-up modems (ZonJr anyone?). The track info was read and passed to clearing house, that then did real work on the information. Hell, today that mag strip on hte back of your card... is unencrypted. But since it is unverisal read... it will be because of EVERYONE needs to decode it.
The high security machines have their week points to TELNET all traffic is unencryoted, so a card reader the feeds information over that link... alla the information is in the clear. You don;t use Telnet or other unencrypted equipment? Look at the keyboard ad mouse under / in your hands. Let alone the display in front of your eyes. But look at database access, internal web servers... try Wireshark and the freee info that is going by.
What most people think... the firewall is between my network and the internet. WRONG! You need tiers of firewalls and encryption.
Help one insurance company, install firewall between their own desktops and NOC, IN THE SAME BUILDING. Reason was OS upgrades turn on ports and features that are normally off or should be off. Like IBM DB2 server ports that are being used. The firewall faced both side with a hard wall and only the needed ports where opened for two way traffic. So if a virsus did get into the server, there was no "exit". The systems could not even get to the internet to get updates. Those where brought in manually and only by CD.
One large hotel chain, rewrote the terminal interface, that all traffic field by filed and different encryption keys and self flags. And stored that data in the database encrypted with multiple different keys per column. The servers did not have nor had access to keys stored else where on a different sub-net behind two side firewall. Only a "terminal" function could access the encrypted clumn and the decoding key. But it put into place if the datbase got out... nothing there that is usable (directly), if the keys got out the same. you had to break into two different networks to get both parts. And again the ports where firewalled /blocked to prevent extra access ports. In this manor the point where all the data is in the clear is at terminal... the weakest link.
You must think and REQUIRE business to treat your information as personal. I walked out of Doctor office that require Social Security Numbers. I reported Hospitals to ADA and HIPAA oversite agencies for reading back to me, my information. They really hate it when I repeat back to them information that I got just standing in the room with other s check-in... including their birth dates, Social Security Numbers, and other person information, read0able from a far or read out loud.
If you do not "teach" them of their failures.. this reports will go on forever.
LASTLY, it is time that ALL companies are required to report failures on the DAY of the event, the extact same day as the lowly tech found it, not months later after PR firms get a chance to spin it. The companies that harvast or store personal data... IS REQUIRED TO BUY personal insurance monitoring like LIFE-LOCK or BETTER, for every person in the database. With yearly reports to be provided (akin to Credit Reports) so each and every person can see EXACTLY all information they have about you or used or "said" or "was about told" others, who they are and so on about you in the last 5 years. so no hiding the access. Add to that... 1) Automatic Civil penalties payable to each affected person. 2) Criminal penalties, for the board and all executive officers (they "are" the company). Finally, death to company itself, if egregious enough acts, with "claw-back" of all money paid to top tier officers to cover all debts to employees and injured persons.
(Score: 0) by Anonymous Coward on Sunday December 02 2018, @12:10AM
It won't happen.
I don't know what the deal is with hotels these days but I used to use the temporary or gift credit cards so if the hotel was breached at least all they got was my name and address. Now they all demand a 'real' credit card.
It is getting to the point where it is worthwhile having a credit card specifically for hotels then replace it with a different card every 3 months.