Three strikes
Oops sorry doesn't cut it here.
New directors please..
Crooks have reportedly made off with 20GB of data from Marriott Hotels, which apparently included credit card info and internal company documents. The unnamed crew behind the theft told DataBreaches it broke into a server at the Marriott hotel at Baltimore-Washington International Airport in Maryland late last month. The …
Ooops. Marriott can't seem to keep people from stealing their customer's data from their systems.
The only consequences for a data breach like this are a couple of public "apologies", perhaps a small fine, maybe even a ransom if that's the way it went. Big deal, their financial loss is probably less than insurers would charge them. Particularly insurers who have been careful to estimate the actual risk by reviewing processes and practices.
What organizations like this need is some form of serious financial motivation to make it worth their while to protect other people's data that they keep. But that likely means regulation. At least in the US, that can't be done - too many lobbyists, too little actual governing.
I just phoned up one of my pension companies. They had an incorrect phone number for me and an incorrect email address. Not a mistake, as you might at first think, but actually someone has been trying to steal my pension funds, and has set up false accounts with a couple of banks, free email service provider etc. A few years ago they got away with nearly £100k from my accounts, all from the comfort of their extinct volcano HQ offices but not by subverting me, just the companies I had saved with (I got my money back eventually).
As the UK's 'ActionFraud', takes no actual action whatsoever for personal callers, if you have no conscience, but some social engineering and IT skills and like to work from home, this is a business opportunity that pays big, with likely little risk of actually being caught. Please do not do this, logging on to your pension provider web site to discover your account balance is £0 is a very shocking experience.
There must come a time when one has to say that the evidence is overwhelming that either the top management is completely inept, or it doesn't give a flying duck.
In this case, I think, even if it hadn't already happened a while ago, surely it has now.
I'm very glad that they've never scanned any of my credit cards, nor any of my ID documents, and if it's left up to me, they never will.
It's just a great shame that if the chain suffers, or even goes bust, almost inevitably the ordinary hard-working people who are employed by the business (and have no way to contribute to its IT security, even if it were reasonable to expect it of them) will suffer far more than the senior management.
At what point could it be said that the negligence was criminal? It can't be far off.
"I'm very glad that they've never scanned any of my credit cards, nor any of my ID documents, and if it's left up to me, they never will"
I'd like to think that's the case for me too, but one can never be sure just who runs that hotel you booked. Is a sub-brand or sub-sub-brand or recent acquisition of some global brand? In my case, it's quite unlikely. The only hotels I've been booked into in the last 10 years have been for business and booked through my employer so they should only have my name and my employers details, possibly my mobile phone number (also provided by my employer)
“Once is happenstance. Twice is coincidence. Three times is enemy action” Ian Fleming
I'd argue that the enemy in this case is top management. A deliberate and considered lack of competant action. I smell a lawsuit that might take the company AND the directors down.
Beer icon, but really deserves Beer and Popcorn. I will enjoy watching the fallout from this - to serve as a warning to others.
Never ascribe to malice what can be perfectly explained by incompetence. The fundamental problem (which I've encountered consistently for decades of consulting) is that security is about 'IT', but almost all the successful attacks these days (and for quite some time already) result from manipulating the psychology of folks who haven't been taught what the hazards are, how to recognise them, or how to counter them. 'Security awareness training' (even where it's undertaken) is an almost universal waste of time as it doesn't address the problems in terms the trainee can relate to. Add to the mix an effective failure of governance whereby responsibility is delegated without oversight (what I call 'fire and forget management') and the multiple breaches are fully explained, as nobody at any level of the organisation learns from any of them so they're surprises every time..
At BT Global Services (no idea what it is called now, but hey ho) I heard a presentation by Tim Smart*, then our big boss. He was talking about delegation and said what he liked was the Vietnam war concept of 'fire and forget'. He wanted to make a decision and just forget. I pointed out to a colleague that the only quote form the Vietnam war that is worth remembering was what the senior US general said after Phnom Pen was surrounded by the Viet Min (they were called the Viet Kong to make them sound more butch).
"We're fucked."
The assembled press were aghast and asked the general to describe the situation in a way they could print. He said:
"No, we're fucked. They can kill us any time they like."
* https://www.dailyecho.co.uk/news/14751690.tim-smart-chairman-of-under-fire-southern-health-nhs-foundation-trust-quits/
Fred Daggy> “Once is happenstance. Twice is coincidence. Three times is enemy action” Ian Fleming
I see your Ian Fleming and raise you a Lady Bracknell:
“To lose one parent, Mr. Worthing, may be regarded as a misfortune; to lose both looks like carelessness.”
(The Importance of Being Earnest by Oscar Wilde)
(Sorry, but I need a bit of cheering up at the moment.)
Ta. I have a very nice cuppa (courtesy of 'Yumchaa' who do some exotic (steady they're all legal) teas, as well as Suki Tea and others ).
I am a bit sort of happier. The ongoing saga of the Boris Johnson government is entering its final stages, and whatever one thinks of Mr Johnson, the appalling mess of the last few days is making the UK a laughing stock around the world, so it will good when it is over.
\begin{rant}
The truly inexcusable thing is that the parties' Whips' Office is responsible for knowing everything that could embarrass any of their MPs or debar them from office. They knew that Pincher was a sex pest and allowed him to be appointed to a position where he was responsible for discipline and wellbeing of the Tory MPs and their staff. That is not mere amnesia by the PM, that is gross incompetence (or worse) IMO. I can easily believe that Boris really did forget the briefing he received, but the Chief Whip should have known and prevented the appointment.
\end{rant}
And B R E A T H E
Yes, yes they are. Both parties have leverage. As a client, my ex-boss used to "ghost" some vendors for a certain period, and then call back with gripes and concerns and get a reduction, sucks you have to drop to that level to get a fair price for work. Some guys have the stones to play hardball...
the keyword was "blackmail" though, they never entered into a contract, they're more what you'd call a "victim" in this (a situation partially of their own making perhaps given their history, but still).
No doubt this being in the news at all was what they were threatening them with when asking for the ransom
are they still clients if you're offering them a discount on your blackmail demands?
Ask Oracle or IBM that question.
In the US, Marriott has been known to heavily spam-call, pretending to have an existing business relationship. I dislike the company so do not and have not used their lodging. Are their calls a type of blackmail?
Surely we've reached the point where companies should require a license to capture ANY customer personal data, whereby if they're hacked they lose that license?
It seems companies often get away with this sort of thing, only for the victims to potentially be defrauded 0.5/1/10/100 years later based on some of that data.
"only for the victims to potentially be defrauded 0.5/1/10/100 years later based on some of that data."
Yes, the usual sop is "one years free identity theft protection". Which is a cheap get-out and not actually protection as such. It's more of an early warning system that you identity has just been stolen. And as you state, that data is still out there, and much of it can't be changed. Two, three, four or more years down the line, when you "free identity theft protection" has lapsed, you lose everything and can't claim back on the people who incompetently lost your data three years in a row.
It's reaching the point (or has already reached the point) where some people are probably running multiple and consecutive "free identity theft protection" because they have been subject to so many data thefts.
Wrong architecture.
If you have as many locations as hotels, with frequent employee replacement, there is only one great solution.
That is the classic architecture. Some call it Mainframe, other calls it Citrix/Terminal server (with no Internet access from the remote desktop), yet other calls it WebApps.
There is NO reason why huge amounts of data should exist in a hotel branch, no way it should be exportable to a USB drive in a hotel near Kremlin. They are handling GDPR personal data, even sensitive data in some cases.
The only people who should have access to bulk data are IT staff at a central location, whose access is limited with MFA - preferable good MFA (Yubikey or equivalent).
Thus wrong design causes huge data loss thru a low level employee. Nothing new here. But I think EU should fine them 4% of their global turnover since it keeps happening, they clearly are not sufficient technical or organizational means in place, despite 2 earlier warnings.