back to article Identity stolen because of the Marriott breach? Come and claim your new passport

Hotel-chain turned data faucet Marriott says it will help some customers cover the cost of replacing stolen documents. The company on Friday confirmed to The Register that customers who fall victim to fraud as a result of forged passports will be eligible to claim a replacement passport at Marriott's expense. "As it relates …

  1. a_yank_lurker Silver badge

    Burden of Proof

    What level of proof does one need to shake money out of these slimes. The fact they lost critical customer data should be enough for them to make the customers whole. I smell a nasty lawsuit brewing. Also, does the GPDR have any sway on this breach (asking out of genuine ignorance)?

    1. Not That Andrew

      Re: Burden of Proof

      IIRC, if the data of EU citizens or residents was lot in the breach, yes.

      1. katrinab Silver badge

        Re: Burden of Proof

        And plenty of EU hotels affected, eg Le Méridien range of hotels.

    2. Mark 85 Silver badge

      Re: Burden of Proof

      What level of proof does one need to shake money out of these slimes.

      Which slimes? Marriott or the miscreants?

      1. Loud Speaker Bronze badge

        Re: Burden of Proof

        Marriott or the miscreants?

        Yes - or possibly both.

    3. tfewster Silver badge
      Facepalm

      Re: Burden of Proof

      > make the customers whole.

      Including the cost of the customers time - Probably > $110 per hour times many hours to sort out an ID theft.

      Actually, y'know what? I'd just have a lawyer sort it out for me, and send their itemised bill to the Marriott group.

    4. I_am_not_a_number

      Re: Burden of Proof

      Not sure what whether this answers the US centric view of "burden of proof" - I'm assuming that you mean by demonstrable losses, which obviously in this case, will be hard to prove, since ID theft isn't enacted until potentially years later...but perhaps the following might help..

      The following section 168 of the UK Data Protection Act 2018 (which references GDPR) stipulates that, if you've suffered distress, then you have a right to claim compensation.

      Here:

      "168 Compensation for contravention of the GDPR

      (1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non-material damage” includes distress."

      Compensation mechanisms are referenced in articles 77-83. Since the hotel isn't a public authority, then none of the state level derogations will apply and therefore, fair game for any punishments..

  2. IceC0ld Bronze badge

    Hotel-chain turned data faucet Marriott

    FOUR YEARS

    500 MILLION accounts

    =

    $110 IF you can PROVE it was their fault .............................

    not sure what upsets me most, but at the moment it's the fact they were open for 'business' for FOUR YEARS ......................

    dang it to heck, WTAF do their Admins get paid for ?

    1. A.P. Veening

      Re: Hotel-chain turned data faucet Marriott

      "WTAF do their Admins get paid for ?"

      To make sure the other Marriott wage slaves don't experience problems while doing their best to make money for Marriott. This isn't/wasn't an admin problem, this is/was a security officer problem. And the responsibility should be with a C-level security officer.

      Everybody always claims big is beautiful and I concur, I would love to see a really big fine.

      1. LDS Silver badge
        Facepalm

        "This isn't/wasn't an admin problem"

        Create isolated compartments and security will never work. While evidently the CSO botched completely, system administrators too failed to make system secure and ignored if for at least four years. Sure the CSO should have awakened the admins much more earlier, and had the lazy/incompetent ones fired. Now of course he/she has to be fired as well.

        If I had a dime for every sysadmin that utterly ignored security warnings, advises, and even policies because they made their daily job a little harder....

      2. Old Coot

        Re: Hotel-chain turned data faucet Marriott

        This isn't/wasn't an admin problem, this is/was a security officer problem. And the responsibility should be with a C-level security officer.

        They're not likely to worry about a fine if they're not worried about a breach (likely to be far most costly). Either way, they'll look to blame it on the person with the least clout (think Breaker Morant, or Lt. Calley).

        It relates to the difference between formal and efficient causes, or something like that.

        This is why I abandoned the DBA game after 10 years. If something goes wrong you're always the guy next to the machine, who with hindsight could have done something differently. What will not be taken into consideration is that your recommended, best-practice measures were not taken in order to save a few currency units. In my case, it was things like re-using backup tapes more times than recommended, or running versions of the database that were no longer supported ("we can't leave this one because our app vendor went out of business before migrating the app to the current version").

        The C-level security person is usually a permanent employee (can't be fired without a court case, at least not in Belgium) with little technical knowledge. He or she relays the cost-cutting dictates to you and (hopefully) your warnings back to the C-suite. The C-suite claims credit for the lower costs, but not for any consequences this entails. To be fair, you can't tell the C-suite what the probability of an incident is, or the likely impact; it's not a game of dice, with a known set of possible outcomes.

        What I've been seeing is that, for freelancers at least, there's a push to make us accept unlimited liability for anything that happens. I recently turned down a good offer because the agency's contract contained many clauses like this: "The contractor will be liable for any data breach". No qualifiers saying that it had to be my fault or even to have happened while I was there. They want to make you liable, but how much do they think they'll get from someone who's poor enough to be working for a living? The strategy seems to be to push off liability to someone else.

        The deeper problem is in the technology itself: a small mistake or oversight can have consequences that are wildly out of proportion to the negligence involved. Even perfect best practice is no guarantee against total disaster (breach, data destruction). It's not only IT: think nuclear energy, genetic manipulation, bio-weapon development, ...)

        The problem for most of the people who read this site is how to avoid situations where this looks like a real possibility. In my experience, you can usually smell such projects after a week or two. Sometimes you can even smell it at the interview.

      3. Doctor Syntax Silver badge

        Re: Hotel-chain turned data faucet Marriott

        "And the responsibility should be with a C-level security officer."

        Even better, every C-level officer should have a statutory security responsibility.

  3. damian fell

    Interestingly after doing some further this gives me a bit more confidence in Marriotts cyber security.

    Marriott "merged" with Starwood in 2016 in one of these mergers that's really a takeover.

    Looks like their systems integration started in 2017, and this August they combined their loyalty schemes.

    This sounds very much like they finished wrapping starwoods systems into their cyber security monitoring and immediately found something nasty that the smaller company previously didn't have sufficient tools or processes to catch.

    I'm still cheesed off that I'm affected due to a stay back in 2011, for which they had no reason to retain my details.

  4. Anonymous Coward
    Anonymous Coward

    What surprises me most about this story is that if the figures are correct then about 8% of the total worldwide population booked rooms in a Starwood hotel during a 4 year period

    1. Tomato42 Silver badge

      they state that those are numbers before deduplication

      not all receptionists bother to search for a customer in the database when checking-in

    2. iRadiate

      I booked into Starwood 5 times in 3 years. That's 5 lots of data relating to me. It's not 500 million people but 500 million data records.

  5. Velv Silver badge
    Pirate

    While it’s not listed among the lost data (so far), I wonder if people invoice details have been compromised?

    Who’s exposed to a little blackmail over their porn habits or extra pillows? (which for those not familiar with Concierge speak is negotiable company).

    1. katrinab Silver badge

      Last time I looked at hotel accounts, almost nobody paid for hotel TV channels. That was about 10 years ago, and I guess it is even lower now.

  6. Ken Moorhouse Silver badge

    Come and claim your new passport

    Just fill out the attached form and return it newpassport.pdf.exe

    1. FlamingDeath Bronze badge

      Re: Come and claim your new passport

      "hide extensions by default"

      Another one of Microturds joint brainfarts by committee

  7. Loud Speaker Bronze badge

    New ID?

    A new passport won't hack it. I want a new (and secret) ID - complete with plastic surgery, new bank accounts and a fake foreign accent.

  8. doublelayer

    And one requirement to use this is

    Have they set up any system that informs people if they have been included in a breach or at least lets them check? I haven't read everything, so I suppose it's possible, but I would figure that if such a thing existed the company would have referred to it in their statement or the article would have mentioned it. If they indeed lack such a feature, is it because they don't know whose data was breached or they don't want to tell people? Of course, this makes it hard for a customer to know whether to do anything and therefore whether to ask the company for damages. So I'm assuming nobody will be informed.

    1. Anonymous Coward
      Anonymous Coward

      Re: And one requirement to use this is

      > Have they set up any system that informs people if they have been included in a breach or at least lets them check?

      Yes - it's called WebWatcher.

      Believe it or not: when you enrol what you get is a web form where it asks you to enter your name, full address, date of birth, all your bank account numbers, your credit card numbers, and passport number.

      If you are mad enough to try it:

      http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/

      Follow the link from there. Anyone can enrol - you don't have to provide any evidence that you ever stayed at a Marriott/Starwood hotel.

      1. swm

        Re: And one requirement to use this is

        I just received a well-written email from starwoodhotels@email-marriott.com with many links to www.annualcreditreport.com, www.equifax.com, www.ct.gov/ag etc. Curiously all links point to the same address. Checking whois it seems that the address of email-marriott.com is owned by Marriott so maybe the security breach is not over. Pinging email-marriott.com failed. I did not try going to the nice link they provided.

    2. Colin Bull 1
      Unhappy

      Re: And one requirement to use this is

      I have had notification I might be involved. Last time I used any of these hotels was 2008!

  9. ah umaway

    hotel visit database

    > The attackers also would have been able to look at information on when customers stayed with the hotels, though that info would have been of far less value.

    I wouldn't say that is necessarily true, but admittedly it requires a more complicated business model. Its value would only become apparent when juxtaposed with other (leaked?) data sets. For example by looking up corporate lobbyists visits that coincide with an industry event in that city, especially the ones they didn't tweet about. Valuable information for competing interest groups and authorities.

    1. Anonymous Coward
      Anonymous Coward

      Re: hotel visit database

      Now look!

      She's my niece and we only shared a room because there was a conference in town!

      OK?

  10. Gonzo wizard
    Flame

    Replacing the passport is the least of it...

    I've two visas in my potentially leaked passport (I got the Starwood email). If I'm to replace my passport then I'd also expect the cost - both direct and indirect - of applying for two fresh visas to be covered. Of course Starwood have not provided any way for me to view all the information they regard as having been (potentially) stolen...

  11. Pen-y-gors Silver badge

    New passport?

    How exactly will getting a new passport help? Will they change your date of birth? Your place of birth? Your name?

  12. Anonymous Coward
    Anonymous Coward

    Starwood outsourced most of their DBA activities to Accenture India over the affected period - so, you know, you get what you pay for.

    And it's also quite likely the breach is not as old as they say it was - they wanted to backdate it to well before GDPR came into effect, otherwise the fines would bankrupt Marriott

    1. Doctor Syntax Silver badge

      "hey wanted to backdate it to well before GDPR came into effect, otherwise the fines would bankrupt Marriott"

      How would that help if it continued after GDPR implementation?

  13. Anonymous Coward
    Anonymous Coward

    Company email, but my data?

    Guess I'll have to give them a call in the morning...stayed at Marriott/Starwoods on many occasions over the last 10 years mainly on business ( no nieces involved!!) however it would always be using my at that time business email address, however the passport, address would be my own obviously and card details (sometimes my own if no company cc).

    I would hope they can identify those affected on more than just their email address

  14. pwl

    Experian IdentityWorks fail

    Got an email from Starwood today offering a year's free coverage by Experian IdentityWorks <https://www.globalidworks.com/identity1/>-

    On trying to create an account, though, the form said my 16-character password was too long. FFS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019