Equifax, 143 Million
Lest we forget.
US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …
@wyatt
I've done the opposite before, flag that the card is going out of the UK.
It must be 10 years ago that I visited Chile. After a couple of days tried to use my debit card to withdraw cash - nope! Seconds later got a text from the bank telling me about it and saying to reply to unblock.
Had similar texts (but not blocks) when I used Lloyds CC to order stuff directly from a shop in Santiago. "Was this you? If not phone...."
But yes, why does anyone need to store CC numbers once the transaction has been verified - or even before if you use a portal like Paypal?
>But yes, why does anyone need to store CC numbers once the transaction has been verified
Hotels get a special PCI exemption (like car rental), otherwise they would need your card when you book to take a deposit, you queue again at checkin to pay, then you queue at checkout to pay for any other charges.
People don't like queuing and the majority of hotels in the USA are booked on business trips so nobody cares if the card is ripped off
After working in banking for four years and moved on from that horror show, I can confirm that nearly every major bank does have this feature
. Pretty much depending on who you bank with will determine which department you contact. I know that during banking hours 9am - 5pm ish you can speak to debit card fraud prevention and they will be able to add this feature, however depending on the agent you get will depend on whether or not they implement it. I know that's not the most useful answer but its pretty accurate.
Revolut do disposable virtual debit cards with a premium subscription. £7 pm I think.
Probably similar banks do as well.
They've also got a location based security, do / don't allow contactless or internet purchase and freeze card options with their standard service.
I do remember seeing Barclays advertising at least the freeze card option.
So called 'challenger' banks are probably more likely to offer these features than the big boys as a differentiator.
Personally I started using Revolut because it allows me to do commission free foreign transfers at the interbank rate but YMMV.
My key problem with REvolut is this:
3.4. When we hold Electronic Money for you, us holding the funds corresponding to the Electronic Money is not the same as a Bank holding money for you in that: […] © your Electronic Money is not covered by the Financial Services Compensation Scheme.
This put a few thoughts in my head. I've done PCI in the restaurant industry, and credit card numbers never need to be stored there. But, do I understand correctly that hotels keep numbers on file for ongoing charges and a hedge against guests who might take off without paying? That's a major challenge. Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel. That way the hotel can deal with ongoing charges without storing a card number that could potentially be used by anybody. But, given the time it took to get chips in the states, I imagine this won't happen over night.
Well Mariott use The Opera property management system which is now owned by Oracle.
They were also one of the first to sign up to using it in the Oracle Cloud. Therefore there should not be a customer database that would locally be accessible to anyone.
The Opera system can also utilise the Oracle Payment Interface (OPI). This does allow modern fully tokenised credit card support, however this has only been available for a short time and would not be the default with this service.
Opera also has a number of APIs that allow you to retrieve and download customer data and can download CC data that isn't tokenised.
So maybe they were polling the data down from the cloud into a separate db, maybe their web service was copying the data to an internal db when it was making the booking.
Marriott have said "We also do a lot of research on transactional data to understand the value of getting an additional point of conversion through a new medium and what helps to drive that conversion. Based on what the data shows us and what customers are telling us, we try to marry the two together to reach informed decisions about the business."
So it would seem they like to pull data into a centralised analytics system of some kind.
Hopefully it won't be Oracle's cloud which has had issues!
If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality nor Opera which is Java and Opera Cloud v1 isn't widespread in general except for the fleet and test-beds, plus the acquisition was a couple of years later. It sounds to me like its loyalty related, though I'm not familiar with their architecture other than common knowledge.
If it started in 2014. I doubt its Oracle Cloud as it didn't exist for Hospitality ....
But what about the acquired businesses that Oracle borged? In particular, Micros, who were an EPOS and hospitality specialist, and themselves a product of the horrible "snowball acquisition" model that afflict ERP and EPOS vendors.
1. Not all hotels have Opera cloudy servers. Some are still physically at the hotel.
2. It's quite possible that they breached "Valhalla", their back-end reservations database. This is probably why it is limited to Starwood hotels and not the whole group, as Marriott use a different system.
> Maybe what's needed is a token issued at the time of check-in against the guest's credit card that can only be used by that particular hotel.
Just like the APIs that most card processors provide, and have done for years?
When that ecommerce site offers to save your payment details, this is what should be used. There is no need to hold details (beyond a few masked digits so customers can recognise which card has been saved).
(Might be all card processors for all I know, certainly the APIs I've used all have this option.)
"Just like the APIs that most card processors provide, and have done for years?"
There's a little bit more to it than that. Fine if you are just creating an e-commerce website but dealing with a full fat property management system that is interlinked with multiple third party system, then the payment service provider is just a small chink in the chain. There are multiple factors involved with running full tokenisation, including the requirement for a hotel's special allowance to do long term deposits, card authorisations and end-of-day re-authorisations (once again across multiple systems from different suppliers).
SO the API that allowed it for Opera (which Marriott uses AFAIK) has only become properly available in proper way since the Oracle Payment Interface and API became available to use this year. Even then it only works with a PSP and that supports it, and they in turn have to support your PED and both of them have to support your Acquirer, which also have to support your bank. If you have legacy suppliers it gets a bit harder.
That's exactly why innovative startups succeed in all industries...a defence of the status quo as opposed to a drive for positive improvement.
You can change and improve if you want to.
You can have multiple accounts so you can do an orderly transition...heck acquirers will give you a temp account to help with the transition...you just have to ask for one.
What you want is something like a kerberos ticket: a token which proves you've seen the card and which gives you some rights (like taking money from the card up to some limit) for a finite time, beyon which it becomes valueless.
From other replies it looks as if these do exist?
Actually there is a product you can get for online purchases.
The other thing that there is a company that tokenizes the CC details so that companies like Marriot doesn't store the CC # and stuff.
There's more, but the real problem is that we have the Mongol horde of programmers who really don't know what they are doing behind the scenes. (Or you could use Vandals too ... )
Thanks for the feedback - I've now received my email, to the correct address, but the website still claims that my email is invalid.
I've spoken to a very nice man on the helpline who admitted that he's only there to handle to calls, he has nothing more he can do for me apart from pass it on to tech support.
sigh
It’s hefty and you’ll need a couple of reams of paper.
To save you the trouble. In my opinion we need a global legal API (!?) framework.
If you know your PCI and loyalty there’s big gaps continent wise and there also needs to be a discussion about geo-location silo-ing, escrow, times expiry and mega-data policy. #whatsyourvectorvictor
Tweet the G20, that's what you're here for. Not a new standard either. China and Africa are mag-stripe and the states are somewhere in between. If you've travelled through the middle with foreign cards, it's a lottery whether, POS, ATM or ePOS works anyway. This is why I moan about banking etc... #quellesurprise #enthalpyoscillation
“Due Diligence...perhaps a pentest pre acquisition...then there is the two years since they bought it.“
I suspect this maybe a case of a large, decentralised infrastructure - it could be as simple as a long forgotten dial up connection that was used for support in the distant past.
Comprehensively testing for that type of flaw can be challenging and easily overlooked in the midst of cost cutting, staff changes and an acquisition.
I thought that. I find it very hard to believe that anything remotely like half a billion separate people go anywhere near a Marriot hotel in any given five year period.
I mean, that's pretty close to the entire population of Europe and the USA combined. Including children. It doesn't pass the laugh test.
Don't get me wrong these breaches are bad news but I was just wondering how many people have had real money stolen or an increase in spam because one of them?
I'm not saying these companies don't deserve everything they get in the way of fines etc I was just wondering what happens to the data.
My card details got into the wild after the British Airways hack, and rogue transactions started to hit in < 24 hours. Fortunately my bank was on top of it (and yes I had notified them) and I think between us we caught all of the dodgy ones. So, yes it's very possible people lose "real money" from these breaches. I was lucky, and was paying attention.
As an aside: unfortunately this (and the subsequent card cancellation) hit exactly at the time I was trying to use the card to pay for a car hire in Italy, which added an extra layer of entertainment to the usual Italian car-hire circus.
Glad it worked out well (in the end) for you. Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones. Not difficult to do. I know this won't be convenient for everyone right now but as time goes on it seems to be the way to go.
"Hopefully it won't be too long before banking switches to using MFA with an one time pad App on peoples phones."
Ha! I'll see your one-time pad and raise you contactless.
Then I'll raise you signatures in the US...
Then I'll raise you adding the tip in after you've signed the bill...
Northern Minnesota is actually quite nice & I drove from from MSP up to & into Canada some years back, I don't think I enjoyed the drive up from Chicago back to MSP on the same trip around the Great Lakes (But the weather had turned it was wet\sleet) & the views weren't as great in the south, to the best of my recall.
There's hardly ever any crossover between virtual and physical crime. They'd have to get this information in real time and have a nationwide network of burglars on call to monetize that. Even the mob wouldn't be able to do that these days.
Most likely the hackers are halfway around the world, and could care less about knowing when I'm out of my house for a few days.
Might not be as big as Yahoo! but that info seems a lot more identity-theftable. CC# are easy: just get a new one, the rest is not.
Are passport and DOBs # globally mandated for storage? I know France had police-requested guest registration info for a while, maybe still does. But most of the time now CC# and license plate is all that’s needed. DOB? Why?
Security 101: if you don’t store it, it can’t be hacked.
Security 101: if you don’t store it, it can’t be hacked.
I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability* to them and they should delete what they can as soon as they can. If someone hasn't purchased from you in that last 6 months (and you're not an automatic repeat biller), then probably best to delete the card number... it's not like you're saving the customer loads of time re-entering it when they hardly order from you anyway.
* previously it made sense to hoard as much data as possible. With GDPR the mining potential is limited because you're not allow to exploit it easily, and obviously, with GDPR, data loss can = financial loss.
"I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability"
You're quite right but it's not easy to break the habits of a lifetime. It doesn't help that for a lot of management bods the desire to hoard and exploit data is part of their personality; it's what got them into those roles. It's probably going to take a few fines on a scale prompted by intent to make an example of the a few miscreants before the message gets through. And then a few more top tier fines on a few businesses who try to cover up to get that message through as well.
Always had, still have, although there ARE ways to slip through if you really want to. Most countries have similar requirements, especially for foreigners. I can't remember registering in in a hotel in the Americas, Europe, Asia or Africa without providing a piece of ID (or a couple of locally-tradable pieces of paper-money, which I tend not to do, out of principle)
Most countries seem to be a bit random IME. I've had hotels in Blighty, as well as various other countries in Europe and elsewhere, ask for my passport or comparable ID. And others that take a more relaxed attitude.
They do all seem to want a creditcard on booking and checkin. And recently they don't bother with it on checkout, which implies the capability to debit it some days later than reading it. I should hope that works with a single-use token rather than storing the whole thing!
well then, if i was designing hotel POS systems, i’d
1. limit ID intake to strictly what’s _locally_ legally required.
2. upload to the relevant police db and delete
3. if 2 doesn’t exist, delete as soon as you reach end of locally legislated retention period.
fwiw, when I visit the US, it’s always just the CC# and car plate #. ditto within Canada. so that’s at least 2 countries not needing retention.
In Italy was also common that an hotel could actually register you *only* if you paid with a traceable mean - lot of cash still in use - and often the card reader was "not working", especially for foreign tourists - to evade taxes they could not register a lot of guests... (more common in small hotels, big groups probably less so). Now with counter-terrorism rules, it could have become riskier.
"burning the CC's and going cash only. No checks either."
The way things are going it'll be impossible to get hold of cash, at least in the UK. You can't get cash from your now-closed bank branch and you'll need a card to get cash out of an ATM. And that assumes the ATM network survives.
It's high time retention of banking licences was tied to meeting standards of accessibility and customer service with the required standards being notched up each year.
Nah! 500 million transactions, maybe, but not 500 million customers. Even if it's worldwide, I suspoect a lot are in the USA, and a fair proportion of the population there can't afford to stay in decent house, never mind a Marriot hotel. And I'm sure a lot of their customers tend to be regular repeat offenders, so probably only 50-100 million, i.e. less than Equifax. Pah! Piffling small change!
Since 2014 some of the cards will have expired so they'll be counting the originals and the replacements. Then there are customers with multiple cards. And some of the customers will have changed address or given a home address sometimes and a business address at others. Even if it's card plus address combinations rather than transactions there'll be a good deal of multiple counting of individuals going on.
Not that I don't already do it to a large extent online, but I'm starting to wonder why I don't just get black market new identities, just so when they get inevitably compromised, it's less upsetting.
Still. Happily not a Marriott customer, ever. When I contracted for IBM they did pay for a hotel once - oh, wait, Travelodge were already hit this past summer!
"Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014."
Unauthorised access for four years. The entire booking database with 500 million guest details in it but no one noticed anything.
Equifax were bitch slapped with a fine but these guys are going to be ass kicked.
*YAWN*
Que the standard "We'll pay for credit monitoring (by handing all your info to Equifax) for a year, and we take customer yada-yada seriously, also we have measures in place like not having the admin password '1234' to probably make sure this doesn't happen again; also since you used our website, you agreed to the T&C's, and individual arbitration, no class-action lawsuits, and so on. We strive for excellence and value our relationship with shareholders customers guests."
This is getting old...
....due to so many companies seeing IT as just an unnecessary expensive. I sat in the Pullman Hotel in London early in the year & while bored in my room just scanned the network. Surely such a business hotel would have at least wireless isolation on.
Nope!
Shocking.
I reported all the findings on Twitter to them while there. Granted, was only there a few days and during that time it was slowly being locked down after my reports, but how long had it not been? At one point there was access to one of the servers that controlled heating somewhere in the hotel or it was a reporting system, I can't quite remember. But it clearly hadn't been patched in years. You could even see their own office PCs on the network that all guests have access to.
I've seen some bad setups at small, family run lodge places which still shouldn't happen but more understandable but at a big chain and business hotel is unforgivable.
I now wonder if Pullman has ever had any breaches and just kept quiet or still not realised.
It opens:
'Marriott values our guests and understands the importance of protecting your personal information'
This must be a new policy.
'the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)'
So we can assume our passport numbers have been left in plaintext and are now in the hands of the PLA. Unlike credit cards it is hard to know if this data has been misused and not easy to get a free replacement if you suspect yours has been misused.
I wonder if Marriott fancies coughing up for half a billion new passports?