Marriott breach leaves 500 million exposed with passport, card numbers stolen

Motivations of hackers are unclear, but proprietary Wi-Fi may have been a target.

Read the whole story

 

[starkik]

Always pay in cash and this won't happen. Careful who you trust with your info.

 

[Gibbertyflibbit]

3 billion customers at Yahoo, half a billion at Marriot??

I think those numbers are extremely inflated. Perhaps counting people that didn't have a customer account as a new customer each time they used a service?

I used to work at a Marriott (before I changed careers to software development, lol), and that's probably unique customer IDs, not unique customers which would be only a portion of that. I worked at a higher end property that had a lot of guests properly assigned to accounts with a lot of attached information (stay preferences, etc), but if you go to a Fairfield Inn or something then you can search somebody's name and pull up 5 IDs that are all probably theirs from various stays within the company's portfolio, just stays where the guest didn't bother to use an awards account or didn't let the front desk associate them with one.

This is still nuts though.

Since the wizards in Marriott IT arbitrarily assigned new SPG account numbers to Marriott Rewards members who'd requested merging of their accounts, my PII is now associated with 2 SPG account numbers.

So, is this 500m people, or 500m IDs and thus something closer to 250m real folks? Like, say, 327m?

On second thought, maybe obfuscation was their antihacking defense.

 

[Gibbertyflibbit]

I haven't seen any mention of whether in-room, ahem, "entertainment" purchases might be divulged by this. Is that a possibility?

Good question. Though, why anyone would pay for adult channels vs just using the internet is beyond me.

Don't these businesses have data retention policies? like delete sensitive data after X days/months*? Or were they just hedging their bets to build some BigData advertising thing to better target their customers. I would love to see some accountability, to the point, that businesses will be scared into not wanting data for fear of reprisal during these breaches.

*I realize that if the system is compromised, getting around data policies is trivial, but still, the extra mile could have minimized these kind of things.

The cuteness here is that when responding to all the litigation headed their way, they now will have to comply with e-discovery rules for all the data they didn't purge in a timely manner.

Hey, karma!

 

[Gibbertyflibbit]

"Hacker" You mean the disgruntled IT guy that lost his job in the merger but left a back door open that Marriott security did catch?

Just speculation, but ockham's razor.

...or finally got around to implementing DNSSEC.

 

[Gibbertyflibbit]

So what is the implication about the wifi exactly? Jamming rogue hotspots forced people onto the hotel's wifi, then what? And if people were not forced onto the hotel's wifi, wouldn't plenty of people have used it anyway because not everyone brings their own hotspot.

The issue was that Marriott charged for using their Wi-Fi, so they made money by blocking people from using the own hot spots. Only the higher end Marriott brands charge, brands like Courtyard give free Wi-Fi.

Okay, but how did that contribute to the customer data breach?

TBH, I think that Marriott is just trying to shift blame to the wifi policy when it was other aspects of their IT security that enabled the data to be copied.

Re Marriott property hotel Wi-Fi security, I had two recent stays inside one month at a Marriott property that shall remain nameless. I discovered and dutifully reported to both the hotel staff and the service provider's help desk that their network proxy wasn't running on either Wi-Fi or wireline.

I noted in my ticket call-in to their contracted service provider help desk that all their internal network devices were discoverable from outside their LAN's private IP address space (via the Verizon local switch, which was also visible).

Weeks later, nobody from Marriott IT, the franchised property owner's IT staff or from their service provider has contacted me for the more detailed technical info I offered both to the property staff and to their service provider.

 

[Gibbertyflibbit]

I always wonder how they know what data was compromised in their investigation. One would assume if the system can be compromised for many years with nobody knowing, there would not be sophisticated audit trails of database access. So how do they know which columns in the database were compromised and which records were affected? Usually a read on a database will not leave a detailed trace unless full auditing is enabled.

in this case I believe they found a file of encrypted data someone was trying to exfiltrate from their systems, once the file was decrypted they could see exactly what data it contained, so at that point they know who and what.

in many other cases, it's log files. most databases have access logs for example

Maybe.

This autumn, I and a helpful, technically proficient escalation supervisor with access to the relevant logs uncovered at Marriott's tame credit card provider (n.b., a major financial institution) a boatload of security control fails related to account management, password resets, event logging, etc. Examples: password expirations were not being logged, nor were login attempt fails. *urk*

Weeks ago and still awaiting call backs from someone accountable, even to say "thanks!".

So, personally, I'm less inclined to brush off this latest bit of news.

My concern is rapidly deepening that there's nobody awake (or perhaps just not drunk or buzzed) in Marriott's IT wheelhouse. I'm already taking active steps to mitigate my own risks.

 

[Gibbertyflibbit]

As a Starwoods member, can I get and email, a smoke signal, something to tell me what the hell happened. At least a driveby "Hey you might be screwed, but hey at least we aren't Equifax" kind of thing???

Check your starwood profile - it may not have an email address associated with it after they migrated the SPG accounts to Marriott's systems. Mine doesn't, which would also explain why I wasn't notified when my SPG points expired

I'm certainly regretting merging my Marriott Rewards account with my empty just-in-case-I-need-it SPG account (at least for the last 20 years, I'd not stayed at any Starwood hotel properties, the first thing I checked when the announcement hit the airwaves today). Marriott has thus far been silent on the risk exposure also generated for these merged accounts.

 

[1966CAH]

My information has been leaked so many times by this point that it's hard to even get worked up over it anymore. Pretty soon I'll be able to just do a web search if I forget the answer to one of my security questions...

 

[NoMorePosting]

When something like this happens, I often think, "That's so much data that hopefully they'll just never get to mine."
Also, I have no idea what people do with this data, so I probably have no idea what I'm talking about/thinking.

There's these things called computers, that can do quite a bit of processing rather fast.
How on earth did this drivel get upvoted.

 

[Lord Nikon]

Wow, so I know a few people who will get fired from SNOC and possibly GNOC on Monday.

Then again, I knew quite a few people who were outspoken about Xerox's handling of network security after Marriott shopped it all to them five years ago.

Not that I work there anymore more or anything,.

 

[AccountingforMe]

When something like this happens, I often think, "That's so much data that hopefully they'll just never get to mine."
Also, I have no idea what people do with this data, so I probably have no idea what I'm talking about/thinking.

I had someone try to log into an old Wish.com account a few weeks ago using an email and old password - I was lucky Wish caught the transaction before it shipped. I also had an active CC on that for some dumb reason. I've since scrubbed my other accounts.

 

[Cognac]

Dozens of hotels over many years, I can't keep track of where I stayed for vacations/business but I have to assume I'm affected by this breach. The CC number I'm really not that worried about, it's insured and I can get a new one within a week. The Passports are another issue on another level. Not only an expensive pain to replace but I assume I should be worried that the old information is in the wild now. Never understood and definitely never felt comfortable about hotels or cruise ships holding your passport during a stay.

I don't know about cruise ships, but I've never stayed in a hotel that required me to hand over my passport. If someone told me that that was the case I'd simply walk out and find somewhere else to stay: It is an unreasonable request to ask me to hand over my most important government issued ID to a private party for anything other than checking my ID.

 

[informationsuperhighway]

So what is the implication about the wifi exactly? Jamming rogue hotspots forced people onto the hotel's wifi, then what? And if people were not forced onto the hotel's wifi, wouldn't plenty of people have used it anyway because not everyone brings their own hotspot.

What part was proprietary, like were the AP's and the switches behind it completely custom made for starwood, or were they just <name brand> with the DDOS-rogue-AP option set?

That requires hiring someone to find out and write about it instead of summarising articles into a new article.

 

[Hapticz]

'your privacy and comfort is our first priority....', right after the profits

 

[Impertinent]

Lets see if I can be positive about this... Here we go:

Your Honor, I'm sorry, but there is no way to tell based on Credit card information or reservations, etc. that I was the person at this location. My personal identifiable information was disclosed by Equifax, and the Marriott hack... It could be anybody at this point.

Thanks for all the Alibis shitty security folks! Swell.

 

[Exnor]

Imagine if corporations were allowed to use tech to penetrate through walls, and take pictures of everyones homes.

Now imagine the data is stolen, publicized, and a rash of successful burglaries came out as a result.

You would rightly first blame the company, but when the company didnt get any meaningful punishment you should also blame the government for not regulating this kind of business, or following up on failure.

If Philip K. Dick was still alive today i bet he would write some best seller novel about that... And probably kill himself since some of his scary scenarios are coming to life :/

 

[chilinux]

You can tell a company is "serious" about addressing any potential security issues when they have a reporting policy of: "There are no known guidelines for reporting potential security vulnerabilities to this organization."

Their lack of bug bounty or security disclosure terms is available on HackerOne:
https://hackerone.com/marriottintl

Marriott also seems to *STILL* be setup to be a good target for a Magecart javascript injection similar to the Newegg breach.

The Marriott webpage for guest enrollment requests Credit/Debit card number, Expiration Month/Year and CVV number. This same web page has *NO* Content Security Policy in the HTTP header. Instead, it loads javascript onto the same web page from the following:

Monetate, CloudFront, Sales Force Live Agent, Blue Triangle, TrustArc, Yahoo Buzz, Apextag/Quantcast, TheTradeDesk, Criteo, SnapMedia, Facebook, MediaMath, TribalFusion, Jivox, TripAdvisor and Quantcount.

So, not are you entrusting that the Marriot's own web server hasn't been compromised by a javascript injection, you need to trust *ALL* of those other javascripts have no injection to siphon a copy of the form data to another site.

Again, Marriott has no publicly stated contact information for security disclosure or concerns that I can find. They also do not appear to provide anything to act as incentive to report directly to them if one of the many javascripts loaded ever appears to be compromised. It seems like a far stretch to make this out to be understanding of the importance of protecting this personal information.

I also like that this level of over-exposure to javascript from over a dozen different companies while taking credit card details has no impact on Norton still providing their Norton Secured trust seal. What a worthless misleading piece of crap that has turned out to be.

 

[omarsidd]

Yay, another mega-breach. This is the first one I've seen specifically mentioning passport numbers being exposed...

 

[revision0]

How is this even a thing?

How many years of data is that?

If I stay at a Marriot, do they still have my card data in 2 years? 10? 40? When do they delete that stuff?

I would expect them to at least move it to remote storage or microfilm.

 

[Wolvenmoon]

They "deeply regret", huh?

As deep as their pockets?

Why was old, idle consumer data being stored unencrypted on a production server rather than removed from production (or encrypted) and put on an airgapped 'cold storage' server after 6 months from the last time it was accessed by either the company or the consumer?

There are even ways to encrypt the hell out of (or into) it in such a way that the consumer possesses the means of decryption simply by accessing the system ("Heya! Nice to see you again. We want to get you logged back into your rewards account and since it's been so long we need to ask you a couple of questions! What's your full legal name? Date of birth? What was your home phone number growing up?"

And suddenly they've got a way to decrypt the consumer's profile on their live system (toss in a few more relevant questions or a few more consistently-remembered-by-the-consumer questions if needed to create the decryption key), and if they have a consumer who can't remember they can flag it to check on their cold storage system whenever. Add a bunch of hashing iterations and it's no longer an issue. If a hacker manages to guess the decryption key through a means other than brute force, then they already have the consumer's data.

It's about time that companies that don't do this kind of thing start getting crucified. I get that if they're skimming the data as it comes in that this won't protect consumers, but if that's the case then it's just game over, period.

 

[Eldorito]

Marriott says it confirmed unauthorized access to the Starwood guest reservation database on November 19, which contained guest information dating back to September 10, 2018. The hackers had allegedly copied encrypted information from the Starwood reservation database. When Marriott was able to decrypt the information, the company found that of the approximately 500 million guests that had their name and contact information stolen, a subset of 327 million had "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences."

To make matters worse, Marriott says that credit card numbers were likely stolen as well. Although the numbers were encrypted using the AES-128 standard, Marriott says it cannot rule out that the hackers also stole the keys to decrypt the credit card number information.

How does this make any sense?

This sounds like Marriott's entire customer database, why on earth do they need to decrypt it to know what it is? Likely whoever took this just took a dump of the entire database - it should take zero time to know what was in there.

Additionally, why on earth were the keys to this data sitting on the same server? Or was the entire company compromised in multiple ways?

Plus why are they storing all this? Every time I've stayed at a hotel where credit card and passport mattered, they asked for it at the time. Prudent security would be to then not store this data any longer than needed.

I can't wait until some major company finally falls due to their absolute inept approach to security. Hopefully this, along with GDPR, will mean data security will actually become important at some point.

 

[/or\]

I bet the SEC is already on it, from an investors standpoint.
Note that this graph is time relative, hence if you click on the link in a week it is meaningless and you will need to click the week tab at the top of the graph. Some putz ('s) shortsold stock the night before the announcement.
https://www.bing.com/search?q=dow+jones ... lang=en-US
A greed trap is just like a perjury trap, you have to be greedy to get caught in it.

 

[Hagen Stein]

One thing for sure. GDPR is going to hit them very, very hard. Their last year revenue was US$22.894 billion. 4% of that as fine is US$915M. Most of their 2017 profit. Going to be "fun" explaining the cost to shareholders.

a breach does not automagically invoke GDPR fines..

So far they appear to be playing by GDPR rules, for example they just decrypted the data less than two weeks ago, and the breach is already announced. Prior to the decrypt they couldn't really notify as they had no idea who and what-data was affected.

Access appeared to start (based on my reading) back in 2014, prior to both Marriott acquiring Starwood, and long before obligations to secure private data under GDPR came into play. So even if (as I suspect) Starwood's IT security was a complete dumpster file, that would be basically ex-post-facto with respect to GDPR.


If they act in good faith, follow GDPR regs regarding notifications etc, they are unlikely to trigger any severe fines under GDPR..

I'd predict that the first huge fines we see will be for someone who totally stonewalls, delays reporting, and basically tries to ignore GDPR.. I think there's one or more of those already in play. My money on the moment is on Cathay Pacific event we first heard about in October, involving 9.4 mill users worth of data including passport numbers. They discovered stuff in March, by May they knew the details.. but did not report until about 6 months later.. GDPR went into effect in May.. they HAD to know that.. but delayed reporting for half a year..

That's who'd be in my sights for fines if I was a GDPR regulator.

EDIT: the forbes piece another poster linked does seem to indicate they may have failed in initial reporting to GDPR authorities that a breach was detected.. OTOH there's a lot of wiggle room in wording like "without unreasonable delay" and the size and scope of the investigation very likely play into what is considered reasonable in any given situation. I'm also not sure for a company not located in the EU, who the proper supervisory authority is (each EU nation has one basically)

My money is still on Cathay as the folks to get the first big slapdown.

Some decent high level info around breach reporting obligations can be found here: https://iapp.org/news/a/top-10-operatio ... -the-gdpr/

Keep an eye on noyb.eu, specifically https://noyb.eu/4complaints/.

"None of your business" is a NGO founded by Max Schrems, the Austrian guy who successfully went after FB in the EU before GDPR.

(Disclaimer: I became a Gold member as soon as I heard of it, to help kickstart that project)

 

[grommit!]

Plus why are they storing all this? Every time I've stayed at a hotel where credit card and passport mattered, they asked for it at the time. Prudent security would be to then not store this data any longer than needed.

The Starwood loyalty program allowed you (and still does) to setup a profile that included your contact information and default payment information.

 

[Deleted member 1]

Lets see if I can be positive about this... Here we go:

Your Honor, I'm sorry, but there is no way to tell based on Credit card information or reservations, etc. that I was the person at this location. My personal identifiable information was disclosed by Equifax, and the Marriott hack... It could be anybody at this point.

Thanks for all the Alibis shitty security folks! Swell.

Taking it one more step ...given all that, how should a company authenticate individuals nowadays? They can't rely on knowledge of SS#, current address, prior addresses*, car ownership history*, employment history*, driver license #, passport #, address and email, alone or in combination, anymore...

*banks sometimes use a protocol that mines your credit file to generate questions about your past. After equifax, that isn't reliable anymore, either.

 

[flish]

"None of your business" is a NGO founded by Max Schrems, the Austrian guy who successfully went after FB in the EU before GDPR.

(Disclaimer: I became a Gold member as soon as I heard of it, to help kickstart that project)

Haven't head of them until now, but I'll be doing some research and support them if they do what they say they do.

 

[Fatesrider]

I really wish there were more severe punishments for companies (and culpable executives!) when these breaches happen. It would:

A) Maybe make this a little less common, and -
B) Actually make these companies "deeply regret" these breaches.

But hey, I look forward to yet another year of completely useless credit account / personal information monitoring, just like I have from OPM, Equifax, etc, etc...

<nods>

Home Depot, Target, Mariott, the VA - the list of breaches in which my personal credit information has been stolen is long and sad.

At this point, I think I've got free locks on all my credit pretty much for life. The irony is that for the last 15 years, I've not used any credit at all, and conducted all of my purchases on a cash-only basis. It makes monitoring my credit report brain-dead simple: Any credit activity at all is fraud.

But the issue is that these breaches have all but destroyed any pretense to privacy, and yet we don't have legislation that mandates the kind of credit monitoring services that everyone at this point (like everyone on the fucking PLANET) should be getting as a matter of course.

Because it seems that ALL of the personal, private information that has been provided to businesses have been compromised by some breach somewhere in the last couple of years.

I mean, where has anyone who HASN'T been breached been living?

 

[BloodNinja]

When something like this happens, I often think, "That's so much data that hopefully they'll just never get to mine."
Also, I have no idea what people do with this data, so I probably have no idea what I'm talking about/thinking.

Luckily/sadly, technology capable to make short work of 500M records is now widely available and inexpensive. Amazon, Google and Microsoft will sell you that kind of storage and processing power for pennies or dollars per hour.

 

[BloodNinja]

"Wi-Fi at these hotels could be a vector of attack. In 2015, before Marriott had acquired Starwood Hotels, the company briefly tried to block guests' personal hotspots at some properties in order to force their guests to pay for the Marriott proprietary Wi-Fi network. The Federal Communications Commission (FCC) ordered Marriott to stop that practice."

Oh come on! I just stayed at a Sheriton, and they were so generous with their free Wi-Fi: a full 7 megabits! How hospitable!

Why the guest WiFi network is connected to the corporate network that handles billing is left as an exercise to the reader.

Any audit of the chain for SOC or PCI would issue a high risk finding for that kind of thing and fail the certification.

Sigh.

 

[BloodNinja]

I haven't seen any mention of whether in-room, ahem, "entertainment" purchases might be divulged by this. Is that a possibility?

Doubtful.

If it was, you can be sure Washington would be batting an eye, the same way they were very suspiciously concerned about video rental histories all those years ago for no particular reason wink wink.

I'm certain PhantomPhoton was merely referring to the occasional minibar treat.

 

[BloodNinja]

Not good. I work for a UK travel agency. I emailed this article to all@

TIL travel agencies still exist.

 

[BloodNinja]

One thing for sure. GDPR is going to hit them very, very hard. Their last year revenue was US$22.894 billion. 4% of that as fine is US$915M. Most of their 2017 profit. Going to be "fun" explaining the cost to shareholders.

Alas, since the original breach happened in 2014, four years before GDPR took effect, the new regulations won't affect Marriott/Starwood at all. Like most major multi-national corporations, they get a free pass.

That's a non sequitur.

They don't get a free pass, and it's not because they're a major multinational.

The law just doesn't apply retroactively, to anyone, big or small. That's how most laws work.

 

[BloodNinja]

"Hacker" You mean the disgruntled IT guy that lost his job in the merger but left a back door open that Marriott security did catch?

Just speculation, but ockham's razor.

...or finally got around to implementing DNSSEC.

WTF does DNSSEC have to do with a data breach?

 

[BloodNinja]

At this point, I think I've got free locks on all my credit pretty much for life. The irony is that for the last 15 years, I've not used any credit at all, and conducted all of my purchases on a cash-only basis. It makes monitoring my credit report brain-dead simple: Any credit activity at all is fraud.

You're paying all your rent/mortgage, utility, ISP, website hosting, property tax, hotel, car rental bills in cash?

Everything you buy is bought locally in cash? No Amazon or similar web orders?

That's impressive.

 

[Fire-Dragon-DoL]

So, I went to a Sheraton hotel. I paid with credit card in the hotel and definitely used the wifi. What are my options here? I'd like to know which data has been taken and what the heck can I do if the passport number has been taken. I don't think I can get a new number. Also it costs me 120 euros to get a new passport. Will they refund me for it?

 

[LexSP]

Not good. I work for a UK travel agency. I emailed this article to all@

TIL travel agencies still exist.

It’s huge in UK despite all online booking sites.

 

[Shavano]

How to protect ones self in the modern post-responsible economy? I think conduct yourself like you're a spy trying to evade counterintelligence all the time.
* make reservations under an assumed name
* lie about your address, age and contact information
* pay cash
* use one-time throwaway identities

 

[Gibbertyflibbit]

"Hacker" You mean the disgruntled IT guy that lost his job in the merger but left a back door open that Marriott security did catch?

Just speculation, but ockham's razor.

...or finally got around to implementing DNSSEC.

WTF does DNSSEC have to do with a data breach?

I shouldna been so cryptic, clearly.

Presuming nobody was minding the store in 2014, the chances that an interloper might be detected thru log entries of either a DNSSEC-to-non DNSSEC connection fail or DNSSEC-based identification of a domain that shouldnaoughta be connected to certain internal segments is at best remote; you're correct.

My admitted conjecture (perhaps led astray by the second paragraph in Marriott's announcement) was that a September exfil attempt was how they initially spotted the breach ("alerted by a security tool"). As above, sudden DNSSEC connection fails (where intro of DNSSEC busted a connection previously working undetected) or again, DNSSEC verification of connection to a domain that shouldnaoughta be the recipient of the exfil package, could conceivably have helped. Again, presumes someone is actually minding the store, but those number among other good reasons for a solid enterprise implementation of DNSSEC.

 

[Dark Jaguar]

I really wish there were more severe punishments for companies (and culpable executives!) when these breaches happen. It would:

A) Maybe make this a little less common, and -
B) Actually make these companies "deeply regret" these breaches.

But hey, I look forward to yet another year of completely useless credit account / personal information monitoring, just like I have from OPM, Equifax, etc, etc...

<nods>

Home Depot, Target, Mariott, the VA - the list of breaches in which my personal credit information has been stolen is long and sad.

At this point, I think I've got free locks on all my credit pretty much for life. The irony is that for the last 15 years, I've not used any credit at all, and conducted all of my purchases on a cash-only basis. It makes monitoring my credit report brain-dead simple: Any credit activity at all is fraud.

But the issue is that these breaches have all but destroyed any pretense to privacy, and yet we don't have legislation that mandates the kind of credit monitoring services that everyone at this point (like everyone on the fucking PLANET) should be getting as a matter of course.

Because it seems that ALL of the personal, private information that has been provided to businesses have been compromised by some breach somewhere in the last couple of years.

I mean, where has anyone who HASN'T been breached been living?

On the one hand, isn't it victim blaming to say a company is responsible for someone breaking in, on the same order as blaming a bank for getting robbed?

On the other hand, since it's pretty much a guarantee that all but the biggest super tech giants are going to get hacked at this point, you may have something going here suggesting that credit monitoring might just about be at the point of being an expected human right for anyone living in modern society.

 

[ArsCannon]

An existing inflection from Starwood chain spread to Marriott. From the attacker's perspective, the excitement was likely on par to finding a diamond mine within a gold mine.

From IT perspective, I think it might be a good practice to expect these kinds of things. When I've worked on conversion/integration projects in the past, its frequent that I saw the kind of crap that gets into the systems when no proper security is in place for anything. We typically scrapped the whole infrastructure and started from scratch. Where it's not an option, integration had to be done in an extremely careful manner... and then the infrastructure was still replaced, just took longer.

Regarding Wi-Fi, how is that a vector? I'd say that guest Wi-Fi needs to be air-gapped from all other hotel systems. Even if no malicious activity is suspected, its a good practice to have a different pipeline entirely. Eliminate that vector for good.