back to article Marriott Hotels admits to third data breach in 4 years

Crooks have reportedly made off with 20GB of data from Marriott Hotels, which apparently included credit card info and internal company documents.  The unnamed crew behind the theft told DataBreaches it broke into a server at the Marriott hotel at Baltimore-Washington International Airport in Maryland late last month. The …

  1. Wellyboot Silver badge
    Unhappy

    Three strikes

    Oops sorry doesn't cut it here.

    New directors please..

    1. Doctor Syntax Silver badge

      Re: Three strikes

      New directors? No;make three strikes mean out. There needs to be a mechanism to compulorily wind up companies who fail so repeatedly.

  2. wub

    Motivation

    Ooops. Marriott can't seem to keep people from stealing their customer's data from their systems.

    The only consequences for a data breach like this are a couple of public "apologies", perhaps a small fine, maybe even a ransom if that's the way it went. Big deal, their financial loss is probably less than insurers would charge them. Particularly insurers who have been careful to estimate the actual risk by reviewing processes and practices.

    What organizations like this need is some form of serious financial motivation to make it worth their while to protect other people's data that they keep. But that likely means regulation. At least in the US, that can't be done - too many lobbyists, too little actual governing.

    1. Cynical Pie

      Re: Motivation

      In their defence 1 of the previous breaches happened with a smaller chain they bought out before Marriott took over and at the point of purchase the incident hadn't been identified

      1. Doctor Syntax Silver badge

        Re: Motivation

        Due dilligence needs to be a lot more dilligent.

  3. Eclectic Man Silver badge
    Unhappy

    Business opportunity

    I just phoned up one of my pension companies. They had an incorrect phone number for me and an incorrect email address. Not a mistake, as you might at first think, but actually someone has been trying to steal my pension funds, and has set up false accounts with a couple of banks, free email service provider etc. A few years ago they got away with nearly £100k from my accounts, all from the comfort of their extinct volcano HQ offices but not by subverting me, just the companies I had saved with (I got my money back eventually).

    As the UK's 'ActionFraud', takes no actual action whatsoever for personal callers, if you have no conscience, but some social engineering and IT skills and like to work from home, this is a business opportunity that pays big, with likely little risk of actually being caught. Please do not do this, logging on to your pension provider web site to discover your account balance is £0 is a very shocking experience.

  4. sitta_europea Silver badge

    There must come a time when one has to say that the evidence is overwhelming that either the top management is completely inept, or it doesn't give a flying duck.

    In this case, I think, even if it hadn't already happened a while ago, surely it has now.

    I'm very glad that they've never scanned any of my credit cards, nor any of my ID documents, and if it's left up to me, they never will.

    It's just a great shame that if the chain suffers, or even goes bust, almost inevitably the ordinary hard-working people who are employed by the business (and have no way to contribute to its IT security, even if it were reasonable to expect it of them) will suffer far more than the senior management.

    At what point could it be said that the negligence was criminal? It can't be far off.

    1. John Brown (no body) Silver badge

      "I'm very glad that they've never scanned any of my credit cards, nor any of my ID documents, and if it's left up to me, they never will"

      I'd like to think that's the case for me too, but one can never be sure just who runs that hotel you booked. Is a sub-brand or sub-sub-brand or recent acquisition of some global brand? In my case, it's quite unlikely. The only hotels I've been booked into in the last 10 years have been for business and booked through my employer so they should only have my name and my employers details, possibly my mobile phone number (also provided by my employer)

  5. Fred Daggy Silver badge
    Pint

    “Once is happenstance. Twice is coincidence. Three times is enemy action” Ian Fleming

    I'd argue that the enemy in this case is top management. A deliberate and considered lack of competant action. I smell a lawsuit that might take the company AND the directors down.

    Beer icon, but really deserves Beer and Popcorn. I will enjoy watching the fallout from this - to serve as a warning to others.

    1. Mike 137 Silver badge

      "A deliberate and considered lack of competant action"

      Never ascribe to malice what can be perfectly explained by incompetence. The fundamental problem (which I've encountered consistently for decades of consulting) is that security is about 'IT', but almost all the successful attacks these days (and for quite some time already) result from manipulating the psychology of folks who haven't been taught what the hazards are, how to recognise them, or how to counter them. 'Security awareness training' (even where it's undertaken) is an almost universal waste of time as it doesn't address the problems in terms the trainee can relate to. Add to the mix an effective failure of governance whereby responsibility is delegated without oversight (what I call 'fire and forget management') and the multiple breaches are fully explained, as nobody at any level of the organisation learns from any of them so they're surprises every time..

      1. Eclectic Man Silver badge
        Unhappy

        Re: "A deliberate and considered lack of competant action": fire and forget

        At BT Global Services (no idea what it is called now, but hey ho) I heard a presentation by Tim Smart*, then our big boss. He was talking about delegation and said what he liked was the Vietnam war concept of 'fire and forget'. He wanted to make a decision and just forget. I pointed out to a colleague that the only quote form the Vietnam war that is worth remembering was what the senior US general said after Phnom Pen was surrounded by the Viet Min (they were called the Viet Kong to make them sound more butch).

        "We're fucked."

        The assembled press were aghast and asked the general to describe the situation in a way they could print. He said:

        "No, we're fucked. They can kill us any time they like."

        * https://www.dailyecho.co.uk/news/14751690.tim-smart-chairman-of-under-fire-southern-health-nhs-foundation-trust-quits/

        1. Doctor Syntax Silver badge

          Re: "A deliberate and considered lack of competant action": fire and forget

          He sounds like an excellent fit with the rest of BT muppets top management.

    2. Eclectic Man Silver badge
      Joke

      Fred Daggy> “Once is happenstance. Twice is coincidence. Three times is enemy action” Ian Fleming

      I see your Ian Fleming and raise you a Lady Bracknell:

      “To lose one parent, Mr. Worthing, may be regarded as a misfortune; to lose both looks like carelessness.”

      (The Importance of Being Earnest by Oscar Wilde)

      (Sorry, but I need a bit of cheering up at the moment.)

      1. H in The Hague
        Pint

        "(Sorry, but I need a bit of cheering up at the moment.)"

        Have one of these --> or a nice cuppa might be even better.

        1. Eclectic Man Silver badge

          Ta. I have a very nice cuppa (courtesy of 'Yumchaa' who do some exotic (steady they're all legal) teas, as well as Suki Tea and others ).

          I am a bit sort of happier. The ongoing saga of the Boris Johnson government is entering its final stages, and whatever one thinks of Mr Johnson, the appalling mess of the last few days is making the UK a laughing stock around the world, so it will good when it is over.

          \begin{rant}

          The truly inexcusable thing is that the parties' Whips' Office is responsible for knowing everything that could embarrass any of their MPs or debar them from office. They knew that Pincher was a sex pest and allowed him to be appointed to a position where he was responsible for discipline and wellbeing of the Tory MPs and their staff. That is not mere amnesia by the PM, that is gross incompetence (or worse) IMO. I can easily believe that Boris really did forget the briefing he received, but the Chief Whip should have known and prevented the appointment.

          \end{rant}

          And B R E A T H E

      2. David 132 Silver badge
        Happy

        “A HANDBAG?

        -also Lady Bracknell, albeit less relevant to this discussion…

        1. Eclectic Man Silver badge

          I've just watched the Judi Dench, Colin Firth version of 'the Importance'. Beautifully done, especially Frances O'Conner who plays 'Good Heavens' Gwendolyn perfectly.

  6. Valeyard

    clients

    we are always willing to find a deal with our clients and told Marriott that we can provide all the discounts in the world

    are they still clients if you're offering them a discount on your blackmail demands?

    1. chivo243 Silver badge

      Re: clients

      Yes, yes they are. Both parties have leverage. As a client, my ex-boss used to "ghost" some vendors for a certain period, and then call back with gripes and concerns and get a reduction, sucks you have to drop to that level to get a fair price for work. Some guys have the stones to play hardball...

      1. Valeyard

        Re: clients

        the keyword was "blackmail" though, they never entered into a contract, they're more what you'd call a "victim" in this (a situation partially of their own making perhaps given their history, but still).

        No doubt this being in the news at all was what they were threatening them with when asking for the ransom

        1. Old Used Programmer

          Re: clients

          The problem with paying the danegeld is that you never get rid of the Dane. --Rudyard Kipling

          1. Doctor Syntax Silver badge

            Re: clients

            The truth of that is that you never get rid of the geld. It was Richi Sunak's lot that were collecting it recently - who'll be in charge when you read this is anyone's guess.

            1. Doctor Syntax Silver badge

              Re: clients

              Richi. There's a Freudian slip.

    2. cd

      Re: clients

      are they still clients if you're offering them a discount on your blackmail demands?

      Ask Oracle or IBM that question.

      In the US, Marriott has been known to heavily spam-call, pretending to have an existing business relationship. I dislike the company so do not and have not used their lodging. Are their calls a type of blackmail?

  7. Ken Hagan Gold badge

    "red hat"

    Can they really claim that if they've issued a demand for cash?

    1. Gene Cash Silver badge

      Re: "red hat"

      This is the first time I've heard the term, actually. It sounds like people trying to muddy the water and deny that they're criminals.

      1. EnviableOne
        Paris Hilton

        Re: "red hat"

        never heard of red hats (except them that got bought by big blue) before this article,

        as far as I was aware hats only came in shades (Black through white) not colours

      2. runt row raggy

        Re: "red hat"

        at my company all terms that contrast black and white are verboten. so black hat, and blacklist are bad but black holing is ok, but dev nulling would be preferred. racial sensitivity reasons.

        just reporting the facts, not expressing an opinion.

  8. elaar

    Surely we've reached the point where companies should require a license to capture ANY customer personal data, whereby if they're hacked they lose that license?

    It seems companies often get away with this sort of thing, only for the victims to potentially be defrauded 0.5/1/10/100 years later based on some of that data.

    1. John Brown (no body) Silver badge

      "only for the victims to potentially be defrauded 0.5/1/10/100 years later based on some of that data."

      Yes, the usual sop is "one years free identity theft protection". Which is a cheap get-out and not actually protection as such. It's more of an early warning system that you identity has just been stolen. And as you state, that data is still out there, and much of it can't be changed. Two, three, four or more years down the line, when you "free identity theft protection" has lapsed, you lose everything and can't claim back on the people who incompetently lost your data three years in a row.

      It's reaching the point (or has already reached the point) where some people are probably running multiple and consecutive "free identity theft protection" because they have been subject to so many data thefts.

      1. Doctor Syntax Silver badge

        And the providers of that "protection" seem to be the credit reference agencies who already hold so much data about you that they're already proven targets.

  9. Kev99 Silver badge

    Oh, don't worry about it. That bunch of holes held together with string is perfectly safe. Besides, it doesn't cost anything.

  10. Mayday
    Stop

    We take security very seriously

    And will make this statement again and again each time something bad occurs but do nothing to prevent it happening again.

    Viz. Thoughts and Prayers

  11. Povl H. Pedersen

    Wrong architecture.

    If you have as many locations as hotels, with frequent employee replacement, there is only one great solution.

    That is the classic architecture. Some call it Mainframe, other calls it Citrix/Terminal server (with no Internet access from the remote desktop), yet other calls it WebApps.

    There is NO reason why huge amounts of data should exist in a hotel branch, no way it should be exportable to a USB drive in a hotel near Kremlin. They are handling GDPR personal data, even sensitive data in some cases.

    The only people who should have access to bulk data are IT staff at a central location, whose access is limited with MFA - preferable good MFA (Yubikey or equivalent).

    Thus wrong design causes huge data loss thru a low level employee. Nothing new here. But I think EU should fine them 4% of their global turnover since it keeps happening, they clearly are not sufficient technical or organizational means in place, despite 2 earlier warnings.

  12. Potemkine! Silver badge

    Why are credit cards informations stored in the first place?

    Anyway, I hope European regulators will have a look on how Mariott manages personal data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like