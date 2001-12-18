from the I-have-reservations dept.
Marriott Hack Hits 500 Million Guests:
The records of 500 million customers of the hotel group Marriott International have been involved in a data breach. The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party. It said an internal investigation found an attacker had been able to access to the Starwood network since 2014.
[...] Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an "unauthorised party had copied and encrypted information". It said it believed its database contained records of up to 500 million customers. For about 327 million guests, the information included "some combination" of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information. It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.
[...] The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.
The attacker had access since... 2014? To the records of half a billion customers? How many can invoke protections provided in GDPR (General Data Protection Regulation)?
Source: Marriott breach leaves 500 million exposed with passport, card numbers stolen
(Score: 2) by iamjacksusername on Saturday December 01, @03:02PM
I repeat myself every time something like this happens. If there were statutory damages such as $10,000 per person per incident that could be filed for by each person, then companies would make damn sure these breaches never happened. It's just that there is no fiduciary feedback mechanism right now and that is the only thing companies respond to. Until there is a mechanism to make companies pay when breaches happen, it will never be fixed. Regulatory capture ensures that government enforcement mechanisms will never be meaningful.