Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Saturday December 01 2018, @02:51PM   Printer-friendly
from the I-have-reservations dept.

Marriott Hack Hits 500 Million Guests:

The records of 500 million customers of the hotel group Marriott International have been involved in a data breach. The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party. It said an internal investigation found an attacker had been able to access to the Starwood network since 2014.

[...] Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.

Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an "unauthorised party had copied and encrypted information". It said it believed its database contained records of up to 500 million customers. For about 327 million guests, the information included "some combination" of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information. It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.

[...] The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.

The attacker had access since... 2014? To the records of half a billion customers? How many can invoke protections provided in GDPR (General Data Protection Regulation)?

Source: Marriott breach leaves 500 million exposed with passport, card numbers stolen


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Joe Desertrat on Saturday December 01 2018, @10:50PM

    by Joe Desertrat (2454) on Saturday December 01 2018, @10:50PM (#768748)

    It would be nice if they actually told us how long they keep details in the database after someone's visit. Based on the fact they don't tell us, and on the numbers suspected to be involved, I wonder if it's forever!

    Any hotel software I've seen saves a guest history. Most is just name. address, phone number, number of stays, fairly innocuous stuff like that. Usually it gets purged after a specified period of time if that guest is inactive in the system. However, accepting credit cards adds a whole new level to data required to be saved (although hopefully not in guest history). At the very least, it has to be saved for the period that credit card issuers allow chargebacks. Any guest can leave a hotel after running up a tab, go home and call up their credit card issuer to dispute the charge. The burden of proof that the charge is legit then falls upon the business. In some cases this could be up to a year after the charge was made. Add to that that most states require data to be saved for seven years for tax audit purposes. Usually this involves mass storage of boxes of paper, but not necessarily. Payroll and accounting software could have social security numbers for employees and vendors virtually forever. There ends up being several areas where data could be stolen. Any and every one of those areas is likely to have software accessible that is "cloud" accessible, which makes it vulnerable no matter how strongly the attempts are made to secure it.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3