back to article Marriott's Starwood hotels mega-hack: Half a BILLION guests' deets exposed over 4 years

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Equifax, 143 Million

    Lest we forget.

    1. Anonymous Coward
      Anonymous Coward

      Re: Equifax, 143 Million

      Is this breach soley in the states or is it going to involve some European action??

      1. Empire of the Pussycat

        Re: Equifax, 143 Million

        it's global

        if you used a spg hotel 2014- i'd assume your data are in there

      2. katrinab Silver badge

        Re: Equifax, 143 Million

        Le Méridien Piccadilly in London is one of the hotels affected. Also, Europeans do visit the USA.

  2. Craigie

    Card numbers

    Remind me again why card numbers aren't all single-use and virtual yet?

    1. heyrick Silver badge

      Re: Card numbers

      Probably too much bother to implement widely. Some banks offer it, most don't seem to...

      1. heyrick Silver badge

        Re: Card numbers

        Reply to my reply to add that I wanted to geoblock my card to only work on this continent. The website says to go to the branch. The staff at the branch had ZERO idea, and suggested something entirely different. Duh.

        1. wyatt

          Re: Card numbers

          I've done the opposite before, flag that the card is going out of the UK. It'd be useful to put blocks in place as well.

          1. Pen-y-gors

            Re: Card numbers

            @wyatt

            I've done the opposite before, flag that the card is going out of the UK.

            It must be 10 years ago that I visited Chile. After a couple of days tried to use my debit card to withdraw cash - nope! Seconds later got a text from the bank telling me about it and saying to reply to unblock.

            Had similar texts (but not blocks) when I used Lloyds CC to order stuff directly from a shop in Santiago. "Was this you? If not phone...."

            But yes, why does anyone need to store CC numbers once the transaction has been verified - or even before if you use a portal like Paypal?

            1. Yet Another Anonymous coward Silver badge

              Re: Card numbers

              >But yes, why does anyone need to store CC numbers once the transaction has been verified

              Hotels get a special PCI exemption (like car rental), otherwise they would need your card when you book to take a deposit, you queue again at checkin to pay, then you queue at checkout to pay for any other charges.

              People don't like queuing and the majority of hotels in the USA are booked on business trips so nobody cares if the card is ripped off

        2. Anonymous Coward
          Anonymous Coward

          Re: Card numbers

          After working in banking for four years and moved on from that horror show, I can confirm that nearly every major bank does have this feature

          . Pretty much depending on who you bank with will determine which department you contact. I know that during banking hours 9am - 5pm ish you can speak to debit card fraud prevention and they will be able to add this feature, however depending on the agent you get will depend on whether or not they implement it. I know that's not the most useful answer but its pretty accurate.

    2. Graham 32

      Re: Card numbers

      Is there anyone in the UK that does this? (I think Cahoot used to but long since stopped) I'd like it so I don't have to phone insurance companies every year to tell them I don't want to auto-renew.

      1. gryphon

        Re: Card numbers

        Revolut do disposable virtual debit cards with a premium subscription. £7 pm I think.

        Probably similar banks do as well.

        They've also got a location based security, do / don't allow contactless or internet purchase and freeze card options with their standard service.

        I do remember seeing Barclays advertising at least the freeze card option.

        So called 'challenger' banks are probably more likely to offer these features than the big boys as a differentiator.

        Personally I started using Revolut because it allows me to do commission free foreign transfers at the interbank rate but YMMV.

        1. Anonymous Coward
          Anonymous Coward

          Re: Card numbers

          "Revolut do disposable virtual debit cards with a premium subscription. £7 pm I think."

          My key problem with with Revolut is there appear to be very high levels of Russian links at senior levels.

          1. fnusnu

            Re: Card numbers

            My key problem with REvolut is this:

            3.4. When we hold Electronic Money for you, us holding the funds corresponding to the Electronic Money is not the same as a Bank holding money for you in that: […] © your Electronic Money is not covered by the Financial Services Compensation Scheme.

            1. Moog42

              Re: Card numbers

              FSCS doesn't cover any form of electronic money, makes me nervous of even my £12.50 delay repay payment from Virgin Trains...

          2. Anonymous Coward
            Anonymous Coward

            Re: Card numbers

            Monzo and Starlight are two alternatives that have Western Corruption instead of Russian ;).

      2. katrinab Silver badge

        Re: Card numbers

        Revolut I think offers it, but it is a prepaid card, so no S75 protection.

      3. Tomato Krill

        Re: Card numbers

        Revolut

      4. Graeme Carstairs

        Re: Card numbers

        Revolut offer disposable virtual cards. on their premium services or a normal virtual card on their standard services.

      5. Efer Brick

        Re: Card numbers

        Revolut

    3. GnuTzu

      Re: Card numbers

      This put a few thoughts in my head. I've done PCI in the restaurant industry, and credit card numbers never need to be stored there. But, do I understand correctly that hotels keep numbers on file for ongoing charges and a hedge against guests who might take off without paying? That's a major challenge. Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel. That way the hotel can deal with ongoing charges without storing a card number that could potentially be used by anybody. But, given the time it took to get chips in the states, I imagine this won't happen over night.

      1. Anonymous Coward
        Anonymous Coward

        Re: Card numbers

        Well Mariott use The Opera property management system which is now owned by Oracle.

        They were also one of the first to sign up to using it in the Oracle Cloud. Therefore there should not be a customer database that would locally be accessible to anyone.

        The Opera system can also utilise the Oracle Payment Interface (OPI). This does allow modern fully tokenised credit card support, however this has only been available for a short time and would not be the default with this service.

        Opera also has a number of APIs that allow you to retrieve and download customer data and can download CC data that isn't tokenised.

        So maybe they were polling the data down from the cloud into a separate db, maybe their web service was copying the data to an internal db when it was making the booking.

        Marriott have said "We also do a lot of research on transactional data to understand the value of getting an additional point of conversion through a new medium and what helps to drive that conversion. Based on what the data shows us and what customers are telling us, we try to marry the two together to reach informed decisions about the business."

        So it would seem they like to pull data into a centralised analytics system of some kind.

        Hopefully it won't be Oracle's cloud which has had issues!

        1. Anonymous Coward
          Anonymous Coward

          Re: Card numbers

          Actually I can see that Sharwood may well be on a different system to Marriott so they probably have a local db and system.

        2. StuntMisanthrope

          Re: Card numbers

          If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality nor Opera which is Java and Opera Cloud v1 isn't widespread in general except for the fleet and test-beds, plus the acquisition was a couple of years later. It sounds to me like its loyalty related, though I'm not familiar with their architecture other than common knowledge.

          1. StuntMisanthrope

            Re: Card numbers

            This is also one of the reasons, Larry has been banging on about for good reason, Cloud v2 and bare metal because of the numbers involved etc...

          2. Anonymous Coward
            Anonymous Coward

            Re: Card numbers

            If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality ....

            But what about the acquired businesses that Oracle borged? In particular, Micros, who were an EPOS and hospitality specialist, and themselves a product of the horrible "snowball acquisition" model that afflict ERP and EPOS vendors.

        3. Mr. Flibble

          Re: Card numbers

          1. Not all hotels have Opera cloudy servers. Some are still physically at the hotel.

          2. It's quite possible that they breached "Valhalla", their back-end reservations database. This is probably why it is limited to Starwood hotels and not the whole group, as Marriott use a different system.

        4. johnboy1

          Re: Card numbers

          No, it's not Opera.

      2. richardcox13

        Re: Card numbers

        > Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel.

        Just like the APIs that most card processors provide, and have done for years?

        When that ecommerce site offers to save your payment details, this is what should be used. There is no need to hold details (beyond a few masked digits so customers can recognise which card has been saved).

        (Might be all card processors for all I know, certainly the APIs I've used all have this option.)

        1. Anonymous Coward
          Anonymous Coward

          Re: Card numbers

          "Just like the APIs that most card processors provide, and have done for years?"

          There's a little bit more to it than that. Fine if you are just creating an e-commerce website but dealing with a full fat property management system that is interlinked with multiple third party system, then the payment service provider is just a small chink in the chain. There are multiple factors involved with running full tokenisation, including the requirement for a hotel's special allowance to do long term deposits, card authorisations and end-of-day re-authorisations (once again across multiple systems from different suppliers).

          SO the API that allowed it for Opera (which Marriott uses AFAIK) has only become properly available in proper way since the Oracle Payment Interface and API became available to use this year. Even then it only works with a PSP and that supports it, and they in turn have to support your PED and both of them have to support your Acquirer, which also have to support your bank. If you have legacy suppliers it gets a bit harder.

          1. robidy

            Re: Card numbers

            That's exactly why innovative startups succeed in all industries...a defence of the status quo as opposed to a drive for positive improvement.

            You can change and improve if you want to.

            You can have multiple accounts so you can do an orderly transition...heck acquirers will give you a temp account to help with the transition...you just have to ask for one.

      3. Anonymous Coward
        Anonymous Coward

        Re: Card numbers

        What you want is something like a kerberos ticket: a token which proves you've seen the card and which gives you some rights (like taking money from the card up to some limit) for a finite time, beyon which it becomes valueless.

        From other replies it looks as if these do exist?

    4. Ian Michael Gumby
      Boffin

      @Craigie Re: Card numbers

      Actually there is a product you can get for online purchases.

      The other thing that there is a company that tokenizes the CC details so that companies like Marriot doesn't store the CC # and stuff.

      There's more, but the real problem is that we have the Mongol horde of programmers who really don't know what they are doing behind the scenes. (Or you could use Vandals too ... )

  3. Md_pepa

    Fines

    Lets hope the EU based regulators get a decent slice of the pie first, instead of the typical bank robberies we see from regulators over the pond.

    Amusing if it was just “Royal Concierge”, the GCHQ program.

  4. Graham 32

    email-marriott.com

    email-marriott.com? Really? That looks like a scam from the get go.

    1. steamdesk_ross

      Re: email-marriott.com

      Maybe they can't safely publish pages on marriott.com at the moment... Just a thought.

  5. Nick

    Kroll

    Has anyone tried to register with Kroll? The registration failed for me with an error and now retrying the process tells me that my email is already registered, but password recovery says I don't exist.

    This doesn't make me feel more secure.

    1. Empire of the Pussycat

      Re: Kroll

      worked for me, though i did it before the el reg posting, even then it was quite a while before i saw a confirmation email

      as the news spreads i'd think more and more people will be registering and it'll get slower or maybe have a wobbly

      1. Nick

        Re: Kroll

        Thanks for the feedback - I've now received my email, to the correct address, but the website still claims that my email is invalid.

        I've spoken to a very nice man on the helpline who admitted that he's only there to handle to calls, he has nothing more he can do for me apart from pass it on to tech support.

        sigh

    2. Anonymous Coward
      Anonymous Coward

      Re: Kroll

      The ones who were hacked by Telecom Italia rogue hacker group some years ago?

      Hope they improved their security as well...

  6. StuntMisanthrope

    Data protection laws of world.

    It’s hefty and you’ll need a couple of reams of paper.

    To save you the trouble. In my opinion we need a global legal API (!?) framework.

    If you know your PCI and loyalty there’s big gaps continent wise and there also needs to be a discussion about geo-location silo-ing, escrow, times expiry and mega-data policy. #whatsyourvectorvictor

    1. StuntMisanthrope

      Re: Data protection laws of world.

      Forgot to mention or leverage. I’d also like to see true zero loss financial data anonymisation with credit validation by encrypted checksum.

    2. Pascal Monett Silver badge

      Re: Data protection laws of world.

      You're absolutely right. This situation is ridiculous - let's create a new standard.

      1. StuntMisanthrope

        Re: Data protection laws of world.

        Tweet the G20, that's what you're here for. Not a new standard either. China and Africa are mag-stripe and the states are somewhere in between. If you've travelled through the middle with foreign cards, it's a lottery whether, POS, ATM or ePOS works anyway. This is why I moan about banking etc... #quellesurprise #enthalpyoscillation

  7. monty75
    FAIL

    Intruder in their network since 2014. Monitoring system noticed it in September 2018. Had someone forgotten to switch it on for four years?

    1. cbars Bronze badge

      or they only built it thus year. hmmm, what could have prompted that new found interest in the processing of personal info. Some companies just Genuinely Don't Perceive Risk, and sometimes they do, but only once it's too late.

    2. steviebuk Silver badge

      Possibly had someone in charge who didn't want to pay out for IT security. And now has someone who finally did want to pay out.

      1. Anonymous Coward
        Anonymous Coward

        @steviebuk

        So obviously all the losses from this are on the new guy, right?

        "If we never looked, we'd never know we were breached."

    3. adgec

      They meant to say 'recently purchased monitoring system which their IT team had been requesting for 4 years and only recently got signed off when they stuck the letters G,D,P and R in their business case'

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon