SoylentNews is people
SoylentNews
Marriott Hack Hits 500 Million Guests:
The records of 500 million customers of the hotel group Marriott International have been involved in a data breach. The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party. It said an internal investigation found an attacker had been able to access to the Starwood network since 2014.
[...] Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an "unauthorised party had copied and encrypted information". It said it believed its database contained records of up to 500 million customers. For about 327 million guests, the information included "some combination" of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information. It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.
[...] The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.
The attacker had access since... 2014? To the records of half a billion customers? How many can invoke protections provided in GDPR (General Data Protection Regulation)?
Source: Marriott breach leaves 500 million exposed with passport, card numbers stolen
(Score: 3, Touché) by Anonymous Coward on Saturday December 01 2018, @04:59PM (4 children)
snort! Typical khallow...
As I read your link, that's just the cost to the breached company. How about the time and hassle of the customers that, as a minimum, need to get new cards/account numbers and then update all auto-pay accounts. Worst case, the customers suffer from identity-theft fraud which can take major time to unwind.
<sarcasm>Oh, and won't somebody think of the card companies, Mastercard/Visa/AmEx/Discover (etc).</sarcasm>
(Score: 2, Interesting) by khallow on Saturday December 01 2018, @05:04PM (3 children)
And? Point is even under the present environment, data breaches are substantial in cost contrary to initial assertion. Second, we're ignoring the other parties that have relevance here such as the finance industry and government, both who could do considerably more to reduce the cost of data breaches. Why is it fully the responsibility of Marriott when those credit card numbers and other information shouldn't be enough to cause identity-theft issues? There's a lot of sloppiness beyond.
(Score: -1, Flamebait) by Anonymous Coward on Saturday December 01 2018, @08:49PM
khallow and the Environment! Market solutions! Internalizing and reality-based accounting of externalities!
This is why khallow supports pricing carbon emissions to motivate corps to do something about Anthropogenic Global Warming!
That khallow! Pure libertarian genius, I say!
(Score: 2) by edIII on Saturday December 01 2018, @09:58PM (1 child)
I think it is because the costs you point out, which is a good thing to bring into the discussion, are insufficient. Those are costs of doing business that can be defrayed with appropriate insurance, passed back onto the consumer, and don't provide justice. In this case justice is sought for a crime that I don't think is fairly adjudicated here, and regardless, in order to provide real justice it has to be painful. Painful beyond the normal costs of business. More than that, people want to see the executives themselves suffer (you are aware of my proclivities) and be fined directly. In China, executives do suffer directly, and I think that goes a long way to mollifying the public.
I think there needs to be personal fines against the executives responsible. Not so much that there entire lives are destroyed and left paupers, but at least a few years salary. Barring that, direct fines to the shareholders through loss of interest to be divided up among the victims.
However, this may not always be fair. Even if you are PCI-DSS compliant, regularly update your software (part of the problem), encrypt your databases, and otherwise get an A+ from industry pentesters, you can get pwned. A lot of it is inside jobs. How fair is it to seek justice against the company when the company is standing with you as the victim? I say this because I'm responsible for the security in some of the things I do, and I take extreme measures. I'm not *that* confident that I could withstand a nation state or organized crime employing the latest zero days. It was just a couple days ago that we saw somebody slip malware into a javascript code repository. Just by updating the 3rd party software I use I can get fucked, and I'm strongly motivated to always update my software. All a douchebag has to do is flag it as a security update, and it if were really clever, probably have days having fun in protected networks before detection.
As long as justice includes a review by several pentesters that can testify I did do reasonably well under market conditions, I'm okay with more stringent measures against the company. That, and if we want to get serious we need to provide a government protected secure code repo for as many languages are possible. An FDA for algorithms, and a strong reliably way to authenticate code with hashes. The more we rely on that, we increase our attack surface elsewhere.
Seriously, it's easier to just find these people and kill them :) Let that be the punishment if society finds you screwing with their tech maliciously.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Sunday December 02 2018, @01:14AM
The key is to not collect all this information in the first place. Make sure you don't consolidate all your records in one place that don't need to be, and only locally store critical information rather than upload it to a master database. And don't forget to automatically remove information after a period of time that isn't equivalent to 'forever'. None of this copyright style 'limited time' bullshit that is so long as to be effectively 'unlimited' as the art it purports to advance becomes obsolete.
Only after you've done all of the above should you consider the security chain reasonable. The current approach of store all sorts of unnecessary things indefinitely in enormous databases can never be secure if the data is accessible to even a single employee.