SoylentNews is people
SoylentNews
Marriott Hack Hits 500 Million Guests:
The records of 500 million customers of the hotel group Marriott International have been involved in a data breach. The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party. It said an internal investigation found an attacker had been able to access to the Starwood network since 2014.
[...] Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an "unauthorised party had copied and encrypted information". It said it believed its database contained records of up to 500 million customers. For about 327 million guests, the information included "some combination" of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information. It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.
[...] The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.
The attacker had access since... 2014? To the records of half a billion customers? How many can invoke protections provided in GDPR (General Data Protection Regulation)?
Source: Marriott breach leaves 500 million exposed with passport, card numbers stolen
(Score: 5, Insightful) by iamjacksusername on Saturday December 01 2018, @03:02PM (8 children)
I repeat myself every time something like this happens. If there were statutory damages such as $10,000 per person per incident that could be filed for by each person, then companies would make damn sure these breaches never happened. It's just that there is no fiduciary feedback mechanism right now and that is the only thing companies respond to. Until there is a mechanism to make companies pay when breaches happen, it will never be fixed. Regulatory capture ensures that government enforcement mechanisms will never be meaningful.
(Score: 2, Insightful) by khallow on Saturday December 01 2018, @04:49PM (5 children)
It's probably going to cost Marriot on the order of several billion dollars since apparently credit card numbers were involved. I figure around two years of net income ($1.4 billion [marketwatch.com] in 2017). You decide whether that is adequate damages or not.
(Score: 3, Touché) by Anonymous Coward on Saturday December 01 2018, @04:59PM (4 children)
snort! Typical khallow...
As I read your link, that's just the cost to the breached company. How about the time and hassle of the customers that, as a minimum, need to get new cards/account numbers and then update all auto-pay accounts. Worst case, the customers suffer from identity-theft fraud which can take major time to unwind.
<sarcasm>Oh, and won't somebody think of the card companies, Mastercard/Visa/AmEx/Discover (etc).</sarcasm>
(Score: 2, Interesting) by khallow on Saturday December 01 2018, @05:04PM (3 children)
And? Point is even under the present environment, data breaches are substantial in cost contrary to initial assertion. Second, we're ignoring the other parties that have relevance here such as the finance industry and government, both who could do considerably more to reduce the cost of data breaches. Why is it fully the responsibility of Marriott when those credit card numbers and other information shouldn't be enough to cause identity-theft issues? There's a lot of sloppiness beyond.
(Score: -1, Flamebait) by Anonymous Coward on Saturday December 01 2018, @08:49PM
khallow and the Environment! Market solutions! Internalizing and reality-based accounting of externalities!
This is why khallow supports pricing carbon emissions to motivate corps to do something about Anthropogenic Global Warming!
That khallow! Pure libertarian genius, I say!
(Score: 2) by edIII on Saturday December 01 2018, @09:58PM (1 child)
I think it is because the costs you point out, which is a good thing to bring into the discussion, are insufficient. Those are costs of doing business that can be defrayed with appropriate insurance, passed back onto the consumer, and don't provide justice. In this case justice is sought for a crime that I don't think is fairly adjudicated here, and regardless, in order to provide real justice it has to be painful. Painful beyond the normal costs of business. More than that, people want to see the executives themselves suffer (you are aware of my proclivities) and be fined directly. In China, executives do suffer directly, and I think that goes a long way to mollifying the public.
I think there needs to be personal fines against the executives responsible. Not so much that there entire lives are destroyed and left paupers, but at least a few years salary. Barring that, direct fines to the shareholders through loss of interest to be divided up among the victims.
However, this may not always be fair. Even if you are PCI-DSS compliant, regularly update your software (part of the problem), encrypt your databases, and otherwise get an A+ from industry pentesters, you can get pwned. A lot of it is inside jobs. How fair is it to seek justice against the company when the company is standing with you as the victim? I say this because I'm responsible for the security in some of the things I do, and I take extreme measures. I'm not *that* confident that I could withstand a nation state or organized crime employing the latest zero days. It was just a couple days ago that we saw somebody slip malware into a javascript code repository. Just by updating the 3rd party software I use I can get fucked, and I'm strongly motivated to always update my software. All a douchebag has to do is flag it as a security update, and it if were really clever, probably have days having fun in protected networks before detection.
As long as justice includes a review by several pentesters that can testify I did do reasonably well under market conditions, I'm okay with more stringent measures against the company. That, and if we want to get serious we need to provide a government protected secure code repo for as many languages are possible. An FDA for algorithms, and a strong reliably way to authenticate code with hashes. The more we rely on that, we increase our attack surface elsewhere.
Seriously, it's easier to just find these people and kill them :) Let that be the punishment if society finds you screwing with their tech maliciously.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Sunday December 02 2018, @01:14AM
The key is to not collect all this information in the first place. Make sure you don't consolidate all your records in one place that don't need to be, and only locally store critical information rather than upload it to a master database. And don't forget to automatically remove information after a period of time that isn't equivalent to 'forever'. None of this copyright style 'limited time' bullshit that is so long as to be effectively 'unlimited' as the art it purports to advance becomes obsolete.
Only after you've done all of the above should you consider the security chain reasonable. The current approach of store all sorts of unnecessary things indefinitely in enormous databases can never be secure if the data is accessible to even a single employee.
(Score: 3, Insightful) by RandomFactor on Saturday December 01 2018, @10:56PM
I do too.
If there was direct executive liability for breaches due to negligence and poor practices, then information security would be taken far more seriously. Just making the company, and by extension the plebs in the company, pay fines (even huge ones), allows for a top level value calculation that shouldn't be acceptable.
.
As there is no such connection of the pain into the governance of the company (it's the company's money, and the customer's information, not the executives hide that suffers.) The C*s just yell at the security people after the fact and up the security budget for a while to buy an extra tool or two.
.
Now what form that liability needs to take can be debated, but it needs to be direct and personal.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Sunday December 02 2018, @12:05AM
Every time I check into a hotel I think over that they don't need my real name, DOB, address, credit card info. I know they have to protect themselves but they are a honeypot waiting to be robbed. Assholes.
(Score: 5, Informative) by zocalo on Saturday December 01 2018, @03:38PM (5 children)
Apparently multiple ICOs in the EU are investigating so time will tell, but if Marriott has met the disclosure requirements and they can convince the ICOs that their encryption and other safeguards are adequate then the answer to the question in TFS might still be "zero". My guess is that they're going to be getting multiple fines though which, for that are achieved under the GDPR, would be capped based on their revenue for 2017 which was almost $23 billion, so a theoretical maximum of roughly $900 million, per ICO.
UNIX? They're not even circumcised! Savages!
(Score: 2) by SemperOSS on Saturday December 01 2018, @04:01PM (1 child)
So, in principle, if every European Union state pursues the matter the sum could be 28 x $900 million or 25.2 billion?
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 2) by zocalo on Saturday December 01 2018, @05:30PM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Saturday December 01 2018, @04:07PM (1 child)
By reported facts of 500 million... they were not.
(Score: 2) by zocalo on Saturday December 01 2018, @05:39PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by RandomFactor on Saturday December 01 2018, @11:08PM
Malicious actors had access for FOUR YEARS, frankly the whole damned network might be better burned and rebuilt :-(
.
But maybe these were nice hackers who didn't litter the place with quiet backdoors and custom APTs that won't be found by scans.
.
.
Oh and ONE YEAR of credit monitoring? This needs to be for life.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by SemperOSS on Saturday December 01 2018, @03:45PM (3 children)
Assuming the number of "500 millions guests" represents separate individuals, this implies that almost 6.5% of the world's population (about 7.7 billion people) has been hit by this breach ... a truly staggering percentage! (And an indication of the amount of money Marriott International must make.)
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 0) by Anonymous Coward on Saturday December 01 2018, @05:10PM (2 children)
And it we look at the percentage of people who visit hotels or have passports or credit cards, the percentage is much higher.
But records are meant to be broken. Something I hope the prosecutors remember when considering the sentencing of the wonderful people behind this. Both the people who stole it and the people who left it to be stolen.
(Score: 1, Troll) by realDonaldTrump on Saturday December 01 2018, @05:45PM (1 child)
I have asked Attorney General @MattWhitaker46 [twitter.com] to closely study this horrible Cyber Breach. And, I will ask my Cybersecurity and Infrastructure Agency, my Cyber Space Force, to do a full, and VERY THOROUGH, investigation. And bring anyone involved in that hacking to justice. We'll be moving very strongly. And very quickly. It won't take very long to do. But until that happens, why not put a little luxury into your life? Trump Hotels. trumphotels.com [trumphotels.com]
(Score: 1, Interesting) by Anonymous Coward on Sunday December 02 2018, @04:22AM
No thanks, your IT security sucks:
https://krebsonsecurity.com/tag/trump-hotel-breach/ [krebsonsecurity.com]
(Score: 2, Interesting) by Anonymous Coward on Saturday December 01 2018, @04:05PM (1 child)
These failures are and have been with the hotel since the 80's at a minimum. The hotel business is alwys comes out shocked that this happens, guess what...
One of best examples: Hong Kong in the late 80's, cards were "stolen" and clones on the streets with-in 1hr after check-in. The method was tapping the credit card processing center's modems. The traffic was sent unencrypted over dial-up modems (ZonJr anyone?). The track info was read and passed to clearing house, that then did real work on the information. Hell, today that mag strip on hte back of your card... is unencrypted. But since it is unverisal read... it will be because of EVERYONE needs to decode it.
The high security machines have their week points to TELNET all traffic is unencryoted, so a card reader the feeds information over that link... alla the information is in the clear. You don;t use Telnet or other unencrypted equipment? Look at the keyboard ad mouse under / in your hands. Let alone the display in front of your eyes. But look at database access, internal web servers... try Wireshark and the freee info that is going by.
What most people think... the firewall is between my network and the internet. WRONG! You need tiers of firewalls and encryption.
Help one insurance company, install firewall between their own desktops and NOC, IN THE SAME BUILDING. Reason was OS upgrades turn on ports and features that are normally off or should be off. Like IBM DB2 server ports that are being used. The firewall faced both side with a hard wall and only the needed ports where opened for two way traffic. So if a virsus did get into the server, there was no "exit". The systems could not even get to the internet to get updates. Those where brought in manually and only by CD.
One large hotel chain, rewrote the terminal interface, that all traffic field by filed and different encryption keys and self flags. And stored that data in the database encrypted with multiple different keys per column. The servers did not have nor had access to keys stored else where on a different sub-net behind two side firewall. Only a "terminal" function could access the encrypted clumn and the decoding key. But it put into place if the datbase got out... nothing there that is usable (directly), if the keys got out the same. you had to break into two different networks to get both parts. And again the ports where firewalled /blocked to prevent extra access ports. In this manor the point where all the data is in the clear is at terminal... the weakest link.
You must think and REQUIRE business to treat your information as personal. I walked out of Doctor office that require Social Security Numbers. I reported Hospitals to ADA and HIPAA oversite agencies for reading back to me, my information. They really hate it when I repeat back to them information that I got just standing in the room with other s check-in... including their birth dates, Social Security Numbers, and other person information, read0able from a far or read out loud.
If you do not "teach" them of their failures.. this reports will go on forever.
LASTLY, it is time that ALL companies are required to report failures on the DAY of the event, the extact same day as the lowly tech found it, not months later after PR firms get a chance to spin it. The companies that harvast or store personal data... IS REQUIRED TO BUY personal insurance monitoring like LIFE-LOCK or BETTER, for every person in the database. With yearly reports to be provided (akin to Credit Reports) so each and every person can see EXACTLY all information they have about you or used or "said" or "was about told" others, who they are and so on about you in the last 5 years. so no hiding the access. Add to that... 1) Automatic Civil penalties payable to each affected person. 2) Criminal penalties, for the board and all executive officers (they "are" the company). Finally, death to company itself, if egregious enough acts, with "claw-back" of all money paid to top tier officers to cover all debts to employees and injured persons.
(Score: 0) by Anonymous Coward on Sunday December 02 2018, @12:10AM
It won't happen.
I don't know what the deal is with hotels these days but I used to use the temporary or gift credit cards so if the hotel was breached at least all they got was my name and address. Now they all demand a 'real' credit card.
It is getting to the point where it is worthwhile having a credit card specifically for hotels then replace it with a different card every 3 months.
(Score: 4, Interesting) by RandomFactor on Saturday December 01 2018, @05:29PM (2 children)
Ignoring the obvious like changing your password with them. (and if you are so foolish as to reuse the same password everywhere, change it all over...)
.
20 odd years ago some clown got hold of my credit card info and had billing rerouted to an address in California. Then charged a large charge at CompUSA to it and shipped something there. Presumably a computer or laptop from the amount. We didn't get a bill at the beginning of the month and it took us a week or two to figure out there was a problem.
.
After going through all the mess of cleaning that up (that damned address still appears on my credit history decades later even though I have repeatedly told the credit bureau it was fraudulent. However they insist that doesn't matter, I really hate those asshats)
During all this I was discussing with one of the fraud departments and asked how i could keep this from happening again. They gave me the usual credit freeze (not so fun back then) and paying a company to monitor my credit stuff (uggg.)
I asked if there was anything else I could do, and they finally had one more tip.
.
Call the credit card company and tell them to put a password on your account. Then if someone calls in to do something like a request to change the billing address etc, they ask "What is your password" and the fraudster doesn't know it.
This was pretty easy and straightforward to accomplish on my cards (with the exception of a work credit card, where i couldn't do it, however even they allowed for additional verification to be put in place)
.
I've called a number of times for whatever over the years and gotten "What is the password on the account?" and been quite happy about that (not 100% though, they don't always do it unfortunately.)
.
Simple and straightforward, provides some additional protection on your cards if you want it. Costs is just a phone call to ask them to do it.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 4, Interesting) by shortscreen on Saturday December 01 2018, @09:39PM (1 child)
I used to have a password on my CC account. Then this year I received a notice that they would no longer be asking for the password. Why? Because now, if there is any funny business on my account I will be alerted by their "app"
Being alerted after the fact (assuming I used their app, which I don't) is what passes for security now I guess. And yes, I'm going to name and shame. It was Capital One.
(Score: 2) by RandomFactor on Saturday December 01 2018, @10:43PM
Uggh....why on Earth would this be an either-or situation? They should allow both if you want.
.
I don't have Capital One and haven't seen any notices like that. If I was hunting a new card, not allowing this would probably be a disqualifier for me.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 4, Funny) by Fishscene on Saturday December 01 2018, @05:56PM
"Up to *500 Million Customers* of Marriott International Hotel Group *Involved* in Data Breach"
500 million involved or 500 million exposed/compromised?
I know I am not God, because every time I pray to Him, it's because I'm not perfect and thankful for what He's done.
(Score: 0) by Anonymous Coward on Saturday December 01 2018, @07:27PM (1 child)
these suited whores fund the enemies of humanity every chance they get while smaller firms selling FOSS solutions go largely unnoticed and/or broke. now marriott learns that they are not the master, but just another slave skull at the bottom of the pyramid.
(Score: 0) by Anonymous Coward on Sunday December 02 2018, @04:40AM
Is it time to implement the Emacs and begin the anarcho-capitalist revolution?
(Score: 3, Insightful) by acid andy on Saturday December 01 2018, @08:22PM (2 children)
It would be nice if they actually told us how long they keep details in the database after someone's visit. Based on the fact they don't tell us, and on the numbers suspected to be involved, I wonder if it's forever!
Master of the science of the art of the science of art.
(Score: 3, Interesting) by MostCynical on Saturday December 01 2018, @09:10PM
This is the 21sy Century. Data is where the money is made.
So data is forever*
*until your company goes broke and someone sells the servers (with, likely unencrypted, data intact)
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Informative) by Joe Desertrat on Saturday December 01 2018, @10:50PM
Any hotel software I've seen saves a guest history. Most is just name. address, phone number, number of stays, fairly innocuous stuff like that. Usually it gets purged after a specified period of time if that guest is inactive in the system. However, accepting credit cards adds a whole new level to data required to be saved (although hopefully not in guest history). At the very least, it has to be saved for the period that credit card issuers allow chargebacks. Any guest can leave a hotel after running up a tab, go home and call up their credit card issuer to dispute the charge. The burden of proof that the charge is legit then falls upon the business. In some cases this could be up to a year after the charge was made. Add to that that most states require data to be saved for seven years for tax audit purposes. Usually this involves mass storage of boxes of paper, but not necessarily. Payroll and accounting software could have social security numbers for employees and vendors virtually forever. There ends up being several areas where data could be stolen. Any and every one of those areas is likely to have software accessible that is "cloud" accessible, which makes it vulnerable no matter how strongly the attempts are made to secure it.
(Score: 0) by Anonymous Coward on Saturday December 01 2018, @08:56PM
"I am not a rocket scientist, but I stayed at a Marriott Inn last night. And now my identity has been stolen."
(Score: 0) by Anonymous Coward on Saturday December 01 2018, @09:48PM
Not yet notified. But I've used a CC at Sheraton website to reserve a hotel in Germany 2 years ago. Only used it there. Got pawned before even managed to check-out.
Yeah.. bye Sheraton.