back to article Marriott: Good news. Hackers only took 383 million booking records ... and 5.3m unencrypted passport numbers

Hotel megachain Marriott International has gone into further detail on the cyber-raid on its reservation database, including the number of payment cards and passport details siphoned off by hackers. In an update today to its November 30 disclosure, Marriott now says the (allegedly Chinese) miscreants who broke into its …

  1. sprograms

    It seems to be an all-Chinese buffet at Marriott. "Marriott now says the (allegedly Chinese) miscreants who broke into its Starwood guest database.."

    It was only months ago that a Marriott employee made (on his own time, his own social media) a comment critical of CPRC's abuse of Tibet....upon which Marriott promptly fired the man upon complaint by the Chinese. What has become of Marriott? Bowing to the Peoples Republic by sacrificing an employee unfairly. Did Marriott call the Communist Party and insist that one hundred of their best hackers get canned? Interested people want to know....

  2. chivo243 Silver badge
    Unhappy

    Really covering their asses?

    I got a nice letter from Marriott and friends. Trouble is I don't think I've ever booked Marriott directly, especially during the target years. Was my banking\personal info transferred on by the third party? Or is Marriott just being extra cautious and carpet bombing any past customer with the boiler plate 'we're sorry, and won't do it again' spam campaign?

    1. katrinab Silver badge

      Re: Really covering their asses?

      Mariott branded hotels were not affected as they use a different system. Some of their other brands, such as Le Méridien, were affected.

  3. hellwig

    WTF do they do with Passport IDs?

    I'm not sure the policies at work that require a hotel to record identifying information. Did my payment go through? Good, give me the damn keys and mind your own damn business.

    Create a unique identifier that only works in one place (i.e. your customer database). Hashed and salted appropriately, you CAN identify someone with that information without storing it plain text like a damn idiot.

    Oh I'm sure they have some facebook like philosophy of "collect whatever we can, it might one day prove useful", yeah, to the people who hack your system you morons.

    1. macjules

      Re: WTF do they do with Passport IDs?

      In 2018 I cancelled my main Visa debit card at least twice, thanks to British Airways and O2, cancelled my business Mastercard once (Marriott) and my (very rarely used) BA Amex card forever. I have pretty much give up on providing hotels with any card details now and I only reserve rooms that can be paid for via Carlson Wagonlit, and then only via monthly invoice from them.

    2. StuntMisanthrope

      Re: WTF do they do with Passport IDs?

      It's for identifying foreign nationals if and when necessary and from a legal perspective the contract and rights of the parties are different if you are a citizen of the jurisdiction you are staying in. Especially if there is a knock on the door.

      1. Danny 14

        Re: WTF do they do with Passport IDs?

        why were the passport numbers not encrypted? they clearly had encryption if the names were encrypted. Madness.

        1. Halfmad

          Re: WTF do they do with Passport IDs?

          My guess would be that it was a change to the system after it was bought in and the request didn't include encrypting it, so the developer didn't.

          Struggling to see any other scenario where it wouldn't be encrypted on purpose to be honest.

        2. Tomato Krill

          Re: WTF do they do with Passport IDs?

          Well to be fair is the names are encrypted then the numbers are... just numbers.

    3. Avatar of They
      Thumb Up

      Re: WTF do they do with Passport IDs?

      It happens in plenty of countries. I was in Barcelona and booked via booking.com (so not through a travel agent etc) and the hotel receptionist very kindly handed me a piece of paper in English which stated what they wanted and why (usual email, address etc). The passport number was listed and it explained that Spanish security services wanted to know about foreign visitors. Was almost like the hotel was explaining what they want and what they had to ask for and why.

      I assume your passport number is handed over by default if you book through a travel agent.

      I also assume the UK does just the same.

      1. Brenda McViking
        Windows

        Re: WTF do they do with Passport IDs?

        I can't think of a country that doesn't require the big chain hotels (Marriott, Hilton, IHG, Accor etc) to report foreigners staying to local law enforcement. I've been to Israel, India, Morocco, Germany, Turkey, Japan, China, Singapore and the UAE in the last past year - every single one wanted my passport on check-in, and most of them took a photocopy of it. The UK hotels do too if you're obviously a non-EU national.

  4. Jay Lenovo
    Devil

    Proactive Reservations

    "The biz is also offering to cover a year of identity-theft monitoring service."

    Since it takes Marriot four years to uncover such shenanigans...

    Can new guests get that free protection NOW, before the new system is inevitably discovered as hacked?

    Not much point in giving out life-vests 4 years after the boat sank.

  5. The Man Who Fell To Earth Silver badge
    WTF?

    Huh?

    Why is Marriott storing this data at all for years on end?

    1. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      Because storage is cheap, and no one wanted the responsibility for making the call to purge old data in case there was a use for it down the road.

      1. robidy

        Re: Huh?

        Says a lot for duediligence they didn't do or a bizarre risk acceptance if they knew about it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Huh?

          Says a lot for duediligence they didn't do or a bizarre risk acceptance if they knew about it.

          Why bizarre? Most modern businesses VASTLY over-estimate the value of the data they hold - my own employer certainly does - and Marriott should have know the risks. I also suspect that most modern businesses VASTLY overestimate the quality of their IT security. And for US companies, there's also an assumption that other countries' laws can safely be ignored.

          So, believing that they were nigh on impregnable, and the data they held had substantial intrinsic value, they happily chose to sit on it, working on the basis that the fines would never appear. Only time will tell if that judgement was correct.

      2. Doctor Syntax Silver badge

        Re: Huh?

        "Because storage is cheap, and no one wanted the responsibility for making the call to purge old data in case there was a use for it down the road."

        Gradually privacy regulation should change this round to nobody wanting to take the responsibility of keeping it. It'll take a while.

    2. werdsmith Silver badge

      Re: Huh?

      5.3 million unencrypted passport numbers, presumably with a foreign key against an unencrypted identifying name and DoB.

      I’m sometimes ashamed of some of the corner cutting stuff that I am required to do by bosses at work as they try to maximise their reporting figures, but if I was asked to store this information unencrypted when encryption is so easy then I would refuse and walk if it came to it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      It's kind of convenient for the customer who hasn't stayed in a Marriott hotel for a couple of years. They type your passport number into the system and it populates your registration form with all your details so you don't have to fill in all the crap. If you arrive at the hotel late at night and knackered after a 10 hour flight it is a little touch the customer appreciates. I know this from personal experience.

      1. Doctor Syntax Silver badge

        Re: Huh?

        "it is a little touch the customer appreciates."

        Until the downside is revealed.

      2. imanidiot Silver badge

        Re: Huh?

        It is indeed the sort of stuff I don't appreciate at all. Not if it's stored by passport number. I keep that in a privacy sleeve for a reason. And barely if it's stored any other way.

    4. Roland6 Silver badge

      Re: Huh?

      Probably because people (ie. customers) want them to...

      Before GDPR, maintaining information for three years wasn't considered all that excessive, most loyalty cards/accounts will get flagged as dormant if not used/accessed within a three year period. Also if you consider clients, sometimes it is handy to go back through your previous bookings.

      But if like myself you've spent a career travelling, some of your accounts will date back decades; however it is debatable whether I want to go back through bookings made 20 years ago, but bookings in the last few years...

    5. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      Not condoning this in principle but in the real world, unless the system has an automatic purge option then you would need to get a dba in to run a purge directly on the database.

      This can then mean that regular guests might lose their loyalty scheme points or their stay history etc. Some legislation may also need to keep certain details for a certain length of time. Therefore you are manually purging data from a transnational database which may break relationships in the tables and crash your application - maybe just under limited circumstances so it is harder to test.

      So you would need to make the call - purge records for customer privacy but risk bringing down your system or leave them where they are and only have a vague risk of a hack at some time in the future.

  6. Allan George Dyer

    Overlap...

    "The biz is also offering to cover a year of identity-theft monitoring service."

    But I'm already getting Experian's service* from Cathay, because of their data-breach. Just pay me the service fee as compensation instead.

    *I'm not entirely convinced that handing my sensitive data to an organisation that has had its own data-breach so that they can "monitor" where else ut has been seen is a good idea.

  7. yoganmahew

    Friday night special...

    Classy burying of bad news there Marriott; ticking all the boxes...

  8. Winkypop Silver badge
    Facepalm

    Apologies ad nauseam

    How about fines ad nauseam as well ?

  9. Jon 37

    PR-speak to Plain English translation...

    "There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers"

    Translation: We have no idea if the hackers got the keys to decrypt the credit card numbers or not; given how utterly useless we've been at security you should probably assume they got them.

  10. Hans 1
    Happy

    5 million passports, that is $400 million to renew, or not ? How much is it to renew a passport in the land of the free ? It is north of $80 for us in UK ...

  11. Tom 7

    What we need is some kind of programming technique that would prevent this happening

    Something where you only expose data to the web via an interface which is thought out by someone with a clue. The sort of thing even stupid people like me have been doing since 1992.

  12. tiggity Silver badge

    Stored data

    Were their procedures properly vetted for PCI DSS compliance?

    It is heavily recommended you use a token based method, so do not need to store card details, (with the onus on the specialist CC token companies to securely store card details)

    If you do decide to store them yourself then you really should have been getting your systems checked (and periodically, not just once back in the day, as what seemed a secure system 5 years ago could well essentially useless now based on new exploits) - PCI DSS compliance (if you are silly enough to store CC data yourself) includes requirement for periodic security test e.g. pen tests etc.

    1. Mr. Flibble

      Re: Stored data

      PCI-dss compliance centrally? No idea.

      At certain starwood hotels i was working at this year, they clearly weren't, which was a little surprising. PCI-dss was a big deal at IHG a few years ago (maybe because they'd been hacked in the past and knew they'd be fined next time).

  13. Anonymous Coward
    Anonymous Coward

    Why is a passport id considered secret?

    It's written on the thing - it's know by hotel staff everywhere, and accessable by people who want to see id before proceding with a service.

    It's not exactly, a PIN, is it?

  14. Marty McFly Silver badge
    FAIL

    Riiiiight!

    "There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers,"

    So I had to get a new credit card a few years ago because there was fraudulent activity recorded. Right, there is "no evidence" this Marriott hack was tied to my situation. But there is "no evidence" that it wasn't either. And I highly doubt Marriott is going to go looking too hard for "evidence" as that would make them liable. If it comes their way from elsewhere, they will deal with it - but they aren't going to go looking for problems when finding those problems would hurt them even more.

  15. herman

    Deliberate mix-ups help

    The problem is that a passport copy is a complete ID theft kit - it even includes your signature.

    I had to change my bank card once due to a Dubai hotel. Since then, I give hotels a mix of data: Canadian Amex card and UAE ID for example. This mix doesn't enable an easy identity theft and fraud since the information doesn't match exactly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like