back to article Marriott's Starwood hotels mega-hack: Half a BILLION guests' deets exposed over 4 years

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …

  1. The Oncoming Scorn
    Stop

    Phantom Phone Calls

    I get on average 4 calls a month automated voice mail claiming that as a Marriott (Sometimes WestJet) client, I have qualified for ............

    I have usually dropped the phone connection by then.

  2. Anonymous Coward
    Anonymous Coward

    And we thought our boss was just stingy

    Now I know why he only pays for camp site accommodation when we travel....

    So far Kampgrounds of America haven't been targeted.

  3. XSV1
    Mushroom

    Au revoir Marriott!

    Oh bugger. I have stayed in sodding Marriott hotels all around the planet. Their patently crap attitude to security really pisses me off.

    No more Marriott hotels for me!

  4. greenwood-IT
    Facepalm

    It's ok...

    It's ok, the hackers got the "communication preferences" data - I selected the "no email" option.

  5. Anonymous Coward
    Anonymous Coward

    This will continue to happen....

    ....due to so many companies seeing IT as just an unnecessary expensive. I sat in the Pullman Hotel in London early in the year & while bored in my room just scanned the network. Surely such a business hotel would have at least wireless isolation on.

    Nope!

    Shocking.

    I reported all the findings on Twitter to them while there. Granted, was only there a few days and during that time it was slowly being locked down after my reports, but how long had it not been? At one point there was access to one of the servers that controlled heating somewhere in the hotel or it was a reporting system, I can't quite remember. But it clearly hadn't been patched in years. You could even see their own office PCs on the network that all guests have access to.

    I've seen some bad setups at small, family run lodge places which still shouldn't happen but more understandable but at a big chain and business hotel is unforgivable.

    I now wonder if Pullman has ever had any breaches and just kept quiet or still not realised.

  6. Mike Richards Silver badge

    Just had my Marriott email

    It opens:

    'Marriott values our guests and understands the importance of protecting your personal information'

    This must be a new policy.

    'the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)'

    So we can assume our passport numbers have been left in plaintext and are now in the hands of the PLA. Unlike credit cards it is hard to know if this data has been misused and not easy to get a free replacement if you suspect yours has been misused.

    I wonder if Marriott fancies coughing up for half a billion new passports?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018