Marriott has provided an update on the SPG reservation data breach that was first disclosed on November 30th, 2018. Key points from the update:
- 25.5 million passport numbers were included. Of these, 5.25 million were not encrypted.
- 8.6 million encrypted payment cards were involved. No evidence to suggest that the master key was accessed. Although Marriott is admitting that card data might have been entered in other fields and these fields were not encrypted.
- Marriott has identified approximately 383 million records as the upper limit for the total number of guests involved in the incident. Originally this number was 500 million. They go on to state that fewer than 383 million unique guests are affected, but they aren’t able to state the exact number of unique guests (very reassuring…)
I got in a debate with somebody the other day regarding this breach, they said this really wasn’t Marriott’s fault and they were a victim of this whole mess as the SPG was the one who had their systems breached. I argued that Marriott should have done due diligence regarding information security before acquiring SPG. I’m not an information security expert, but not encrypting all passport numbers seems like a fairly massive security flaw.
Until the penalties for data breaches are increased, they will continue to happen at an alarming rate. Marriott seems hell bent on pushing the narrative that Chinese state agents were responsible for the hack, but in my mind that only makes the importance of information security even more important not less. Companies have a responsibility to keep private information private and if they fail to do so they should be punished harshly.
View Comments (32)
Realistically there is a massive difference between chinese government hackers and non state sponsored hackers. I dont think we can expect Marriott to fend off the Chinese government. I dont think the US government is very capable of doing that. For those of us who visit china then the government likely had all this info already.
Marriott is more than capable of encrypting data.
Marriot sucks now.
Sanction any and all countries, including U.S., for any of their part in retrieving and collecting citizens' personal data in which they did not get our direct authorization. In fact, we need to treat our most valued personal data, such as health records, ss#, passport numbers and any data, we as a citizen treat and declare as our own, as if they are copyrighted material under the law. If a person, government agency, crook or spy (some would say they are all of these) wants to steal, re-publish part of your copyrighted song then must pay a licensing fee to YOU. They want our data, they must pay each one of us for our data. We've let governments and their agents collect, store and use our data without true compensation. Congress is not protecting us like they should; they create the laws. Oh sure, they'll place more sanctions and so forth, but each of us that has been affected should get a piece of that money instead of it going into the government's hands. Are we the people not the government in the U.S.A.?
I get tired of even these class actions brought on by state attorney generals in which they act like it's for 'we the people' yet each citizen doesn't actually receive a check in the mail, but instead the states create more agencies off their winnings/settlements. I've opted out of some class actions so I could reap on my own and got others to join me in our own sub-class (seems the only way to see any true value). In the end, it's politics that drives state attorney generals to go after companies, but most of the citizens never really see a dime, only new government buildings, some new hires and then the politician turns around at election time saying "look how I fought for you". - My rant for the day. ;) Of course, this is why I don't use FB or other sites that I knew could be data mining which is of course the whole point if you want to be in the media business and make money from ads. VPNs help too.
Just blame China. Problem solved! LOL
As a software engineer myself, I find this behavior of not encrypting sensitive data extremely sloppy and unprofessional. Did they even hire professional IT people to handle their website and data?
heck..how would SPG even have my passport #? Did they enter it in when I stayed at a Sheraton or 4 Points abroad? Good thing I renewed my passport recently....old # is nada... think I'll call to get a new Amex SPG card #....only card I've used at Marriott properties.
"how would SPG even have my passport #?"
You would probably have been told they were collecting it if you stayed at a hotel in a location that requires collecting that information from guests. Unfortunately there doesn't seem to be a list of such locations available. https://mashable.com/article/hotel-passport-data-collection/
thxs
"383 million unique guests are affected" WTF
Don’t want to nitpick but:
“5.25 million passport numbers were included and these were not encrypted. In addition to this 20.3 million encrypted passport numbers were also accessed, but the master key was not accessed.”
Makes it seem like only the 5.25 were included, perhaps “25.5 million passport numbers were included. Of these, 5.25 were not encrypted...”
Thanks for the informative post
Updated to make clearer, thanks for providing an alternative that is clearer! Very constructive and useful criticism.
My first question is why and who gave the authority for marriott to store and retain passport numbers and credit card information? Once the guest has completed their stay at the property, that information should be erased from their system, what gives them and other companies the right to store the information of clients?
Some countries require passport records be kept
I'm assuming it's the customers who have Marriott loyalty and choose to store their info in Marriott's system for convenience?
It was also stored locally at hotels; there was no standardization or protection. Both were hacked.
Jeez, way to bid customers' loyalty Bonvoy-age.
You Won the internet with this one...
Do I get paid in Bonvoys?
How can anyone apologize for this IS laziness? As a national security matter, China has compiled OPM background files hacked, with the identifiers of government travelers at an American firm across the world, and whatever plaintext info was entered at the hotel itself because no oversight existed. There is no apology, and for Marriott to hide behind the excuse that “we don’t know who did it and it wasn’t us and it’s not a big deal” is embarrassing. Truly eye-opening need for Congress to impose liability for these structural weaknesses because nothing else works!