And so who will have their wrists slapped at Marriott/Starwood?
We are still talking about unencrypted data in 2019?
My family happened to stay at a Starwood branded hotel in London last summer after Ryan Air canceled our flight and we needed a last minute hotel.
I received notification from Marriott that my data from that stay was compromised and while that communication did not address our passport numbers, from all media accounts I can assume they were compromised.
That will be my first and last time to stay in a Starwood and will avoid Marriotts as well. Not to mention I will never fly Ryan Air again, whose flight cancellation started this entire chain of events!
One can only wonder how many times these lists have been sold in the dark web.
OK, so Marriott and probably 1000s of other companies cannot safeguard our data. Who to blame? Not the CEOs but the tech workers who actually do the work of storing and using the data for the company. Until tech workers have a different mindset to safely guarding data it just isn't going to happen.
We need to create very specific learning programs for these tech workers to understand best practices and be a guardian and speak out if they are not. Make it part of the "credo" ingrained in the design and programming skills. Do universities even teach this at all? They should.
ONLY 383 million records? What a relief! And who cares about sharing a few million passport records, right?
What's the fix? And what will the penalty be for such an egregiously flawed system? Surely, not some $30,000 K a year entry-level programmer is at fault, eh, Marriott?
1
It's abundantly clear that there needs to exists some penalty for breaches of user information. There needs to be tension between the utility of the information collected and the liability that losing that information would incur. Otherwise, the bias towards surveillance and against privacy has no remedy. So long as the penalties scale in increasing manner based upon the sensitivity of the breached data and the degree to which the breach occurred, it would encourage private entities to treat cybersecurity with more than the cavalier disregard they so evidently get away with.
7
We continue to allow everyone else (companies, governments, financial institutions, etc.) to own and manage our own personal information thus creating untold replicas of sensitive data. If you want my personal information, I should be able, in this day and age, to provide an entity with a unique expiring key to allow access to that encrypted information I allow you to have about myself and that you need for a duration.
Instead, we continue to allow companies to disregard basic safeguards so that they can monetize our identities. Business as usual.
3
Silly question but why not just block/ cut off rogue countries from the greater internet in the same way china blocks its citizens access
1
@JamesHK Unfortunately, that isn't practical: an attacker is going to hide their country of origin by using a proxy, so it will appear to the network that they are from a friendly country. You can do this yourself with Tor, which is freely available and installs in seconds.
1
China is winning the cyber war while we spend precious time asking "what is a wall?"
10
no clear why do the Chinese intelligence (assuming it is correct they are behind the heist) need all these passport numbers and personal data?
1
Why did Starwood have the passport data in the first place?
3
So we are supposed to be glad it was just foreign intelligence agencies, not "criminals" that got our passport numbers, credit data, OPM records. What a relief! And so much for the ability of corporations to implement security tools or even turn them on. File encryption is a no brainer and has been around a long time but does anybody bother to use it? Nah. Just apologize and offer a free year of credit monitoring. Much less work. Corporations don't care and neither do their vendors.
3
Marriott, a company of ~177K employees with ~$23 Billion in revenue (2017 annual report), which mandates that I use specific amounts of uppercase, lowercase, and special characters to ensure that my account’s password is “strong”, can’t even be bothered to encrypt my personal information on their servers?! Passport information that they have very questionable reasons to retain in the first place?
I do my best to follow all the advice about keeping my online life secure but what good does it do as long as corporations are apathetic? The US needs to regulate this area: I feel helpless and am tired of being the victim in avoidable data breach after avoidable data breach.
34
There need to be steep fines (such as under the European General Data Protection regulation) for storing data that is not necessary to be stored such as passport numbers and dates of birth. So many sites ask for such data (and have terms that require that it be accurate) and then do not (and in many cases could not given the potential liabilities) assume any meaningful liability for any data breaches. Such data harvesting must be restricted. Even more important, such data should not be shared.
56
There is zero reason for hotels to enter and keep that data in the first place. Once the guest is allowed to check in and checks out without issues, the transaction is done.
75
@interested observer
I believe the governments when the hotels are located require them to have this info. Doesn't excuse the unencripted data.
3
In many European countries, the law requires a passport number upon check in.
3
Surely you jest.
The hotel marketing department wants to be able to tailor ads to their visitors.
They want to know everything about you - where you live (to determine net wealth), where else you stay (business or vacation), how often and what kind of room (for pushing upgrades), how you pay (to determine net wealth), what airline miles you use (because they "share" your info with the airlines marketing groups).
They want all that available when you call in for a room so the correct name, address, credit card are quickly added to the reservation and makes the agent on the phone more efficient.
They want to offer you deals and credit cards.
All this in the interests of making money.
6
Congress let Equifax off with a slap on the wrist even though it made mistakes that even a rudimentary security audit would have found. It is about time that companies that compile consumer data without proper safeguards face major penalties large enough to make management and shareholders take notice. Maybe a year of revenue?
33
@Barry Short A lot of data was from foreign nationals. Marriot may have to grapple with the new European privacy laws.
3
penalties, absolutely. large. the only thing these multinationals understand is the bottom line. legislation preventing writing off the fines as a business expense is crucial.
So, when I get my annual pamphlet from they and other loyalty clubs, where it says how much that company cares about my privacy, we now know they are simply lying.
19
The video embedded with this article demonstrates another problem with U.S. cyber defense: an underestimation of creative talent. According to Botti et al. (04 JAN 2019), Mr. Sanger claims: "It's cheap compared to, say, nuclear weapons. You just need some twenty-somethings who are good at programming a little bit of stolen code, and maybe some Red Bull to keep them awake during the night." (1:36) This sounds to me a lot like 'interchangable parts'.
I would add that these people have to be exceptionally creative, and have very flexible ethical standards (especially to carry out attacks against civilians). "People sitting in military fatigues behind a computer" (3:18) do not generally fit this model. People who undergo basic military training are taught to follow orders, to not rock the military chain-of-command, and are weeded-out for their ideological purity.
Cite:
Botti, David et al. Cyberconflict: Why the Worst is Yet to Come. N.Y. Times Video, 04 JAN 2019
2
It seems a better approach is necessary. Marriot is equipped for hospitality not cyber security.
1
Lazy and stupid behavior by such a huge business that is clearly a target for hacking is criminal negligence. The people who allowed to happen this should be indicted.
15
Can someone tell me why you would give a hotel your passport? I am not well-traveled have traveled in Spain, Portugal, France and Latin America and never been asked for my passport.
3
Many countries require hotels to scan and transmit passport and/or visa information of hotel guests to the authorities. In Europe, Italy is an example. There may be more.
6
@Joyce young Best guess is it eases the flow through their on-line reservation system. The "give up private information for convenience" thing.
@Joyce young I just returned from Spain and the two hotels I stayed in required my passport number. Unfortunately one was a Starwood hotel.
2
And yet we're throwing away $100 million apiece on airplanes and how many billions on aircraft carriers.
4
Silly question, why do hotels need my passport anyway? A passport is property of the government used to identify people crossing its borders. Once inside the country there is no need for a hotel to see my passport. They don't need to see my passport when I travel inside the USA from state to state. People who work in hotels aren't government officials. They are employees of a private company who are just as vulnerable to bribes, kickbacks, shady deals and influences, criminal activity, etc, etc.
3
@Aristotle Gluteus Maximus I suppose the hotel may need see the passport in order to comply with direct or indirect pressure from the government or to increase the chances of getting all the money due to them or to help their own guest recruitment programs with trusted information or to harvest information to sell.
Have you ever left the country??? There are many countries that require hotels to scan and transmit passport and/or visa information of their guests.
2
@Aristotle Gluteus Maximus Standard practice (possibly required by law) in many countries around the world, including Italy, most of SE Asia, etc.
1
Just another example of the problems created when governments mandate the collection of such information for "national security" reasons. Governments demand businesses collect all the taxes they levee, do the I-9 immigration checks the border patrol and immigration is supposed to do, and of course store ID like this for hotels.
1
Here's the thing... data breaches will not stop. Adversaries will find new ways to get to your data one way or another. However, when business (regardless of their size) do not encrypt sensitive or vulnerable information, it is an act of stupidity and should be open to fines of civil or regulatory nature. This is the world we live in now. Protect all data, because someone will try to get to it.
While you're at it... best to back up and encrypt your home computer drive with Bitlocker or similar methods.
7
Marriott does not care about customers at all. They don't care about security.
6
Here's a solution--hotels should use paper to record passport numbers. And after a certain amount of time, the record should be shredded.
3
Just another corporate enterprise with ho hum attitudes toward customer's private information. Boycott Marriott in the future.
5
American business cannot be trusted and by extension neither can any business anywhere and neither can anybody who requires your personal data be surrendered to them.
7
i feel like a class action law suit is reasonable. This is negligence and well below current security standards.
4
Private companies are simply unable to maintain critical information securely. How many more scandals like this need to happen before we understand the need for real privacy laws?
1
Why am I not surprised a single iota?
Companies do a slipshod work with sensitive data. As a software engineering professional, I am appalled at the routine hacking news we keep hearing.
Make Marriott shut down for a whole week and then people will start paying attention
The good news is that the bad news is not worse. Seems that we should buying more Chinese manufactured goods to enable their state spy agency to do a more thorough surveillance.
1
Marriott is a good company with generally excellent service, so I give them the benefit of the doubt. Still, in today's world any company with more than 1 employee should know they are setting ducks for hacking and should have been more vigilant.
The real danger is not that a hacker will enrich himself using my personal information, but that bad actors will hack into our systems and change pieces of information without our knowledge. Once we find that our financial data is unreliable system-wide, how does our economy even function?
What a relief knowing that only 383,000,000 records were lost! I was really starting to worry about our national cyber security for a second. Now we know that all we've done over the past few decades has been a first rate success!
8
It's ALL out there AND more. The average consumer, er, I mean citizen has no idea. We have no privacy, none. It's all gone, yesterday. Too late to put any of that back into the bottle.
We've sold our (and our children's) souls already. Actually we've given it away for free.
Information is knowledge+knowledge is power.
You can guarantee our privacy and personal information is being abused and enriching others.
The big problem is when it is used to against us or to prosecute us by a future dictator and or regime. Tick-tock.
Imagine if Stalin or others had access to any of this.
1
It is incredible that passport numbers were not encrypted. This is akin to your social security number. Multiple people including the CIO and CEO of Starwood should be fired. And if Marriot had not had a plan to take over and encrypt such data after the acquisition, their CIO and CEO should be fired as well. And any retiremwnt benefits should be reduced by a significant percentage. Not until C level execs really feel the pain will they act with the due diligence required for their position (and compensation)
Again and again, companies are sloppy with customer data, and they pay nothing to us for their disservice. If we suffer from identity theft as a result of these security breaches, we bear the burden. It's time to start imposing heavy fines or required compensation to customers.
1
Time for marriott to be punished with huge punitive damage judgment.
And, time for sanctions to rain down on china.
8
What a relief, only 383 million passport numbers were stolen. And I thought for a minute that this was serious.
Marriott certainly is taking a cavalier attitude towards this. I recently stayed at a Marriott property, and the only mention of this hacking was a small card on a table in my room stating that any inquiry I had could be answered by going to the company's website. In other words, please don't ask about it at the front desk. The CEO is 'traveling', and the company won't respond to the NYT. Another company too big for it's own good.
1
These hacks are so damaging because companies try to gather and hold as much data about their customers as possible, supposedly for their customers' convenience, but really for sales and marketing purposes.
I wonder if at some point holding this much sensitive data will become more of a liability than an asset and organizations will perhaps start shifting to a model where they try to hold as little data as possible in order to limit their exposure from hacks which will no one will ever be able to stop.
Requiring Marriott to pay for new passports for all compromised guests is the kind of thing the Consumer Financial Protection Bureau should be doing. Too bad Republicans have basically killed the CFPB.
3
Interesting comments in here. Two things I see: Why are government and businesses not putting these data behind stronger firewalls? The article covers it. Our government really doesn't want it there. They want to be able to track your movements using passport and other data. And the reluctance to identify China as a culprit prevents China from possibly identifying the U.S. as committing similar acts. Right now that government seems to have stronger will to both flout rules, and to retaliate against hacks. This is not about profit where WE THE PEOPLE will boycott China. How many of us plan to go there anyway? So much of our daily goods are made there, but how many of us check, or have the stomach to do without? It's not about profit, it's about the power of the information.
1
Maybe the money they saved by not using the latest encryption software, they could also save by not having those MARRIOTT TELEMARKETERS call my 4 times per day. Every day. Ring. "Hello, Marriott would like to thank you for.......", except I don't stay at Marriott.
1
That mattress bank, or burying assets in the back yard, look like real possibilities.
Only 380 million records exposed, not 500m. Well, I feel so much better. What's not made clear in the article is why passport numbers (or driver's license numbers, for that matter) are even needed to be stored. Once a traveler is confirmed to be legal, then the data should not be retained. You know, privacy, if that even exist anymore.
24
@Jim R. Many foreign countries require the passport info for foreign guests checking into hotels. I remember this being a big problem in Italy.
1
There is no need for a U.S. hotel to record a guest’s passport number, save as an aid to U.S. police and other government agencies tracking people’s movements. There is certainly no business need.
Many years ago, I travelled in the Soviet Union, and was surprised to see an attendant sitting at the corner of every corridor in my hotel, observing people as they came and left the rooms. After a while, it seemed quite normal to be watched all the time. No doubt it was all typed up and filed somewhere.
In America, the technology of watching people is more developed. The collection of passport numbers is a relic of an earlier age, like something out of The Maltese Falcon. That’s probably why Marriot didn’t take it seriously.
We can safely assume that all of Marriot’s guest records are visible to the U.S. police. Now we know that they’re visible to others too.
13
The breach was global data. Hence, when your US passport is used and information filed ex-US.
While it is important that hotel chains and similar organizations are required to be diligent about protecting _our_ data, I am not sure why we are assuming that encryption of passport numbers is the default. I routinely travel all over the world, and am routinely required to hand over my passport to immigration officers, consular agencies, hotel front desks, and so on and have no reason to assume that the information is not subsequently improperly stored and distributed. For all I know, this information has been floating around sans encryption all over. :(
7
@aamike A passport number, like a SSN, or credit card number, or bank account number are not secure whatsoever. What next, claim that phone numbers, email addresses, mailing addresses, etc. are secrets rather than given out repeatedly throughout our lives?
And the collection of the passport number is required by law.
1
David, in the US, collection of a passport number is not required. This is leading into Marriotts GDPR non-compliance for European data privacy issues...
4
I walk into my eye doctor, medical doctor and dentist’s offices every year and the clerks always insist on copying my latest insurance cards and my drivers license. Restaurants are supposed to use wireless encrypted terminals but yet most still grab my card and take it back to the cashier out of sight for significant periods of time. Small business owners keep unencrypted spreadsheets of repeat customers credit card numbers on file for convenience. All of these gaping holes in privacy along with the gigantic ones at places such as Marriott are the result of one thing, the failure of Washington to impose brutal penalties are those who don’t protect our private information as if it were their own. In the age of the Internet, this whole thing is now wildly out-of-control. Instead of leading our way out of it, industry greedily avoids responsibility and makes it worse. Any Democrat really wanting to win the White House needs to make the extreme regulation of privacy and security in the Internet age one of their top platform declarations.
25
Yes, AndyW, but apparently, the companies are not able to stop the theft of the info. Also, apparently, they can't seem to catch the thieves, even though they seem to be getting paid somehow.
@AndyW That you had our "secret" information to every clerk, employer, hotel, etc. suggests the data shouldn't be considered secret at all. If it's private, then you don't give it away to everyone who asks.
As once a web software consultant, I lost count how many times I discovered companies storing people's private data unencrypted; including all credit card details, usernames and passwords. When I told the companies of such findings, they invariably did nothing, followed by a string of bland excuses - usually blaming the low-paid, inexperienced, and hence defensive, web developers they had hired. Many of these data storage systems are archaic by digital standards, and cumbersome and complex to update without expert database engineers at the helm. But companies, still, want to cut corners and costs by demanding everything be done by the one or two front-end developers that these companies think are already too expensive. Not possible. And, as with many jobs these days, there seems to be more administrative managers than production workers. Managers who know little about the task at hand other than the finances and their annual bonus for saving money at the more important productive end. Hence your data is vulnerable and sacrificed due to cost savings.
55
@James Devlin. I have been in IT for 40 years at all levels including CIO and I could not agree more with James perspective. It’s bad design and bad management and a lack of will and leadership at the TOP to design things well so they are appropriately secure.
2
Perhaps, just perhaps, now that the supposed "masters of the universe" in BIG corporations realize that WE THE PEOPLE want our privacy back they will do something serious about protecting it.
It is time for WE THE PEOPLE to seriously boycott every business and/or organization that thinks they have a right to profit from OUR personal information. Time to drastically decrease their ill-gained "profits" and demand that they start truly putting "customers" - that's us -first.
WE THE PEOPLE have the power with our money and votes. Let's use them to set things right again.
11
@njglea If you want privacy, don't give it out. That you give it out proves you don't think it's a secret. Or you don't understand how secrets work. There's an old joke about it, showing this is nothing new.
And it is a government requirement they collect that passport, not something hotels would otherwise need.
And small businesses lose data all the time too, as do government agencies. This is because non-secret data tends to get out via hackers or bad acting workers.
You can't keep data secret if you give it away.
@njglea
Never going to happen. Those folks supply most of what we need, and have done a lot of work to put smaller firms out of business. They won't do much because they don't have to, unless required by law. Just try and get building products from a company not owned by the Koch brothers, and you'll see how difficult it is.
1
In other words no matter how well we as customers or private citizens do at protecting our personal information, most businesses don't bother to do enough. Why then are we told to be responsible when the businesses asking for our personal information can't be bothered to safeguard it? It's about time these businesses paid a hefty fine for their complete lack of concern when it comes to customers personal information. It's also time that the United States enacted stronger privacy laws and stopped allowing businesses or anyone for that matter to ask us for our SSNs, our passport numbers, or any other personal information online.
One last question here: why isn't this information put behind as strong a firewall as possible by both our government and the businesses that claim to care about our safety online? Perhaps we need to return to using pen and paper and safes.
34
Among other things, this underscores the danger of having "magic secret numbers" or passwords that must be kept hidden to protect people's identity or encryption security. Few things are lost as easily or distributed as quickly as a tiny bit of data. Whenever possible these not be stored or exposed or even encrypted, such as by using unique one-time transactions IDs.
7
"There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers."
This implies that the key is stored in a location where it could potentially be hacked. If so, there isn't much point in encrypting the data. They still haven't learned.
I'm confident that even Coca Cola does not keep its secret formula on a computer that is reachable from the internet.
Or do they?
25
Even if it wasn't connected to the internet, it could STILL be stolen. There was a research drone able to read data optically by watching the hard drive read light blink and using some clever software to decode it. And of course the consolidation of millions of records in one place makes physical theft possible as well.
Ultimately digital as a whole is an issue
@ERP You could store the master encryption key on a hardware security module (hsm) somewhere in a data center that is on a network/can communicate over the internet with their computers at the reception desk. It isn't really clear why they need to store passport numbers to begin with/in what circumstances they need to use them, but depending on when they are needed, you could, for example, have an encrypted local copy of the database, then when you need a specific passport number you send that encrypted data to the hsm which unencrypts it and then have that sent back to the desk over the network.
Note that communication on the network could take place encrypted under the kind of session keys that https connections use, so if you steal a session key, you learn everything from that session, but you don't get the whole data base. Furthermore, note that hsms are specifically designd for this kind of thing - being able to use sensitive keys while connected to the internet without leaking key data. When an ATM verifies that your bank card is legit, it uses the same kind of process.
Hopefully, they actually use these kinds of best practices, rather than just having the master encryption key lying around on some random server somewhere.
@ERP It's colored sugar water.
1