
Marriott Concedes 5M Passport Numbers Lost to Hackers Were Not Encrypted - adriand
https://www.nytimes.com/2019/01/04/us/politics/marriott-hack-passports.html
======
fatjokes
Will they be penalized? Was Equifax ever penalized?

The cost to them so far is some bad PR which will probably blow over.
Especially for companies like Marriott and Equifax which have near monopolies
(Marriott owns several smaller chains like Starwood and Ritz Carlton), this
probably won't affect their customer loyalty. Particularly when it's safe to
assume that the other chains are probably not doing a better job.

Marriott currently has no incentive to spend money to do a good security
audit.

They had incentive to do their recent migration of loyalty programs, since
Starwood's program was notably generous.

~~~
pgrote
>Will they be penalized? Was Equifax ever penalized?

No and no.

Our Federal government is beholden to special interests, so no real
legislation or regulation addressing this issue will ever occur. If Equifax (a
brace of our economy) didn't receive the death penalty for what they were
responsible for, nothing will occur to any future company.

~~~
sandworm101
I've been on the inside of some leaks and associated internal investigations.
There may not be an external penalty, but these are a serious internal
headache. You often have to bring in external people, who then always see the
worst in everything. The board has to be kept up to speed. The meetings and
late nights pile up. The absence of external penalty doesn't mean that those
on the inside don't care. I'd say that most corporate infosec is motivated
primarily by the desire to avoid internal investigations. Avoiding the need to
report anything to shareholders and/or corporate partners comes second.
External penalties is a distant third.

~~~
karmelapple
That’s only motivation for InfoSec, though. The CEO has to be motivated to
practice good security by the bottom line implications; if having a security
incident means less profit, a conscientious CEO will make sure to mitigate
that risk, or at least factor it into the tradeoffs of what to do.

Without any significant monetary threat, the ultimate cost of security
breaches to a company isn’t truly a big deal.

------
mephistosec
Nothing was 'lost'. A misplaced laptop is lost; records from a database are
accessed (or 'stolen', but I think that's problematic as well). The fact that
the access was possible says nothing about the hackers and everything to do
with Marriott's security approach and posture. Can we please stop letting
companies hand-wave away these attacks and stop solely blaming hackers?

I've worked with hundreds of companies' security teams. While I've seen a
select few companies do a really great job, most were either negligent,
incompetent, or both. I'm sick of the blame for this being laid solely at the
feet of the abstract "hackers", rather than the people who make these attacks
_utterly trivial_.

(Posted from a throwaway because Marriott may or may not be a customer of
mine. Ugh.)

------
jarjoura
Throughout my travels my passport number has been copied with an old school
copier, entered into excel spreadsheets and held on to by various shops for
collateral.

Not saying this isn’t a shitty hack, but I feel like the passport is the least
secured document attached to me I have.

~~~
linkmotif
I thought you should never, ever give your passport to anyone, especially for
collateral. Right?

~~~
ryanlol
Dunno, depending on your country they can be pretty easy to replace and they
do tend to work quite well as collateral.

This entirely depends on your situation, for example I don't think there are
many places where it'd be a huge deal for a white westerner to lose their
passport.

~~~
Quanttek
Are you sure you're not conflating IDs with passports?

Though, yeah, in Germany at least it's quite easy to replace passports

------
40acres
I would've thought by now the security consultant industry would be really
robust and large corporations like Marriott would be advised to handle low
hanging fruit like "encrypt everything". Anyone know the current state of the
industry?

~~~
staplers

      Anyone know the current state of the industry?
    

Large corporations are run by business majors who often have a disdain for
computer science. Usually this leads to not hiring the top security experts
(either through lack of knowledge or not wanting anyone smarter than
themselves at the wheel).

I've personally seen this at a few jobs. It can go both ways as often CS-saavy
startup founders are the same way towards business majors.

~~~
lotsofpulp
I think it's mostly the fact that the cost of data breaches is less than the
savings (i.e. profit) from not implementing rigorous systems.

~~~
staplers
FREE and OSS CMS' encrypt customer data now.. Don't know where this myth that
it costs money to do basic encryption is coming from..

~~~
EpicEng
It's not only the cost to encrypt something. It's the cost to create security
policies, hire people who know the field, implement protections beyond
encrypting data at rest, updating old software to deal with the new security
measures, etc. It's never as simple as "just encrypt that field".

Until there's a good reason to do so people aren't going to bother.

------
kyoob
Why do they even have that many passport numbers saved in any format? I get
what a spy organization could do with that information. What does a hotel
organization do with it?

~~~
bilbo0s
> _I get what a spy organization could do with that information. What does a
> hotel organization do with it?..._

Give it to the spy organization.

Not being snarky. That was meant as a serious comment. Maybe there is some
kind of requirement to inform the appropriate organizations of the passport
numbers of any foreigners in your hotel?

~~~
sethhochberg
At least within the EU, it is required that hotels record the passport numbers
of people who stay with them for potential future law enforcement use. Most
countries just require the data be kept on file at the hotel, but a few
regularly collect it in some kind of central database.

~~~
ghaff
And, especially with a big chain, I assume that any information they collect
(especially if they're required to collect it) gets put in a centralized
database rather than depending on a paper copy being properly filed in a file
cabinet someplace.

Somewhat OT but I was in Europe last month on a business trip. There's a knock
on the door one evening. Imagine my surprise in discovering it's someone from
the hotel who has come up with a few edible goodies for my birthday. On the
one hand, it was a nice gesture. On the other, I was a bit taken aback. Where
did they get that info?

I didn't really want to ask but a friend of mine later reminded me that they
probably got it off my passport. I suppose this might have just been an
informal process at this particular hotel. But I wouldn't be shocked to learn
it was put in the chain's database.

~~~
akshatpradhan
How does GDPR play into the requirement to store passport numbers?

~~~
ryanlol
It plays. The way these hotels are doing this maybe probably isn't GDPR
compliant, but the same applies to vast amounts of other things.

Hard to share any very useful insights on this, it's just the state of most
things.

~~~
akshatpradhan
Can GDPR be used as an audit mechanism for breached passport numbers? And if
so, what would that process look like? Can hotels be fined if they’re found to
not be GDPR compliant?

~~~
ryanlol
>Can GDPR be used as an audit mechanism for breached passport numbers? And if
so, what would that process look like?

I'm not quite sure what you mean, but the answer is probably no.

>Can hotels be fined if they’re found to not be GDPR compliant?

Sure, but is anyone GDPR compliant yet? I'd imagine that all the DPAs in EU
are extremely busy right now.

------
sneakernets
Is anyone surprised that assigning numbers to people to identify them seems to
backfire every time it's tried?

~~~
briffle
There is no problem with assigning people a number. the problem is that people
start using that number as Verification, not as an identifier.

People treat your SSN as a password, when really, it just uniquely identifies
you. Its basically an Email Address, not a password.

~~~
alkonaut
Don’t use any service that considers SSN a verification.

~~~
lotsofpulp
Functionally useless advice if you ever have to deal with mobile networks,
internet service providers, financial institutions, utilities' providers, any
government, schools, universities, and the list goes on.

~~~
alkonaut
Those services take the SSN as _proof of identity_ and not just identity?

Wouldn’t most people’s SSN’s be leaked already so using SSN rather than proper
ID isn’t much better than nothing?

~~~
lotsofpulp
Yes, when you call customer service you’re usually asked to provide your SSN
to verify you are who you are.

Some are finally requiring a PIN or passcode, but very few in my experience.

~~~
alkonaut
Providing you SSN identifies you no better than your email address or postal
address. It’s not a secret number. There may be a provider that has a 2FA. It
should be a cheap way for them to get more business.

------
ummonk
Note that encryption at rest isn't a panacea. Since every system that accesses
the data needs to have the decryption key, if the hacker is getting the data
by hacking one of those systems, then the encryption at rest has achieved
nothing.

~~~
scosman
Not a panacea, but always required. All disks eventually are thrown out. It
doesn't prevent all attacks, but it's the only way to prevent a very common
class of attack.

~~~
ummonk
Yes, it's generally a good idea, even if it won't protect against most
breaches.

There are also certain types of encryption at rest where it buys you
absolutely nothing though, e.g. using AWS' builtin encryption at rest for S3.
No one is going to break into the AWS datacenter and steal the data from the
physical disks.

~~~
scosman
AWS decommissions hardware like anyone else. While I'm sure their processes
include a secure-delete, no process is perfect and things are missed. It's
worth setting the flag, especially since it's free.

------
anonymous5133
Why does Marriott have passport numbers to begin with?

This really comes down to companies simply collecting way too much
information. Consumers need to push back against this type of data collection.
Only give information which is clearly required for their business and nothing
more. Also the companies should only retain that information for long enough
to conduct their business.

~~~
seattle_spring
A lot of countries require hotels to collect information that proves that the
guest is there legally.

~~~
hiccuphippo
In my country hotels are even required to make a photocopy of the passport/id
when a Traveller checks in. Having your id being public is not more of a
security issue than your name being public.

------
awat
Needs to be substantial penalties for these transgressions or it's just
another "cost of doing business".

~~~
ascorbic
A lot of these are likely to have been from EU residents, so there certainly
could be some very large fines coming their way, courtesy of the GDPR.

~~~
alkonaut
Wow, I didn’t think about that - it applies to EU citizens even when not in
the EU. And for a few types of business you _have_ to have physical presence
where you operate (hotels is one) so the EU can always force Marriott to pay
up or extort the money from their business in the EU.

------
ex3ndr
Curious question. How they could encrypt this information when managers at
help desks in the hotels need that information, say, for verification? Isn't
it steal password from temporary worker will be super easy anyway?

~~~
diminoten
You can decrypt the encrypted info, which is what you want to do with PII at
rest, which I'm _assuming_ is where the data was taken.

------
hiccuphippo
Why is having a person's passport number a security issue in the first place?
What could a malicious person do if they have your passport number?

~~~
scarlac
Unfortunately passport number is considered semi-secret to the point where you
can retrieve very personal information with it or with a tiny amount of extra
info such as last name + passport number. Passport numbers are also permanent,
until replaced.

Or to put simply: Passport numbers make identify theft easier.

------
myrandomcomment
Uh, was in China more the once so I think if they are responsible it is not
something they do not have ;)

I think I have become numb to this stuff. I just assume it’s all out there and
thus keep an eye on my credit reports, et.al.

I am more pissed about the basic level of OPsec I see at these companies. I am
even more worried about the same thing at our Defence contractors and related
companies.

------
pasbesoin
It seems law and regulation are going to have to clearly define and constrain
what these organizations are allowed to collect _and what they are not allowed
to collect -- or, rather, that everything else is off-limits._

Guests need to be offered the question of whether they care to share X data,
and guaranteed that a "no" answer will not affect their ability to do business
and receive services in the slightest -- nor the price they receive.

Many people scream bloody murder WRT regulation. However, here we have a clear
and repeated industry failure -- one with significant knock-on costs and
risks.

So, tough. You failed.

I could also cough up a protest on my part against the whole misleading notion
of "self-regulation". _And_ point out that in an era of increasing
consolidation into brands under very few and very large holding companies,
effective competition -- including and with respect to data and security
practices -- is largely absent.

P.S. Where data collection is required, standards and aggressive auditing
should be funded and enforced.

People in the U.S. generally seem to have no problem with FDA regulation and
inspection of meat production. (Not realizing how industry political
initiatives continue to stress and periodically threaten this, e.g. inspection
budgets.)

Well, it seems we're to the point of needing and FDA for data, or something
like.

I say this with trepidation. And any initiative should come with a healthy
dose of "audit the auditor", to keep requirements and process transparency to
a maximum and minimize the governments' own carve-outs and attempts to siphon
off the data whose processing are under inspection.

Back to my accounting days. How do you prevent mistakes, error, and fraud?
Well, orthogonal processes with robust cross-checks certainly help.

~~~
jstanley
The only reason the hotels are collecting passport numbers in the first place
is _because_ of regulations requiring them to.

~~~
lotsofpulp
It also helps verify against people causing damage to the hotel. Business
where the transaction is not a simple "seller provides item - buyer pays
seller" have different risks involved, and therefore need to additional
measures to protect against them.

Requiring credit cards, government issued photo ID, age over 21 are all
methods of preventing guests who trash rooms, sneak in pets and cause noise
disturbances, underage partiers, pimps and hookers, drug dealers, excessively
dirty and causing pest problems etc from messing up the business. Same with
car rentals and flights. Some people are problematic, and it affects other
customers, and you need a way to mitigate the problem.

In the US, almost all local ordinances require hotel operators to keep track
of who is staying in which room for a year or so (some even require
photocopying, although that's not always followed), and to hand over that info
to police whenever they demand it.

------
wdn
Until someone is held responsible, big corporations would not care about
customer's data. It probably cheaper to give everyone a year of credit monitor
(which not everyone used) than implement security to protect customer's data.

This data breach is reporting every week, yet nothing is being done.

------
jliptzin
Any data we turn over to companies should be treated as compromised. There
should be a way to issue new SSNs. Things that can’t be changed like
birthdays, addresses, and last names shouldn’t be stored by companies without
very good reason.

------
embwbam
If you’re doing a new startup, and have aggressive timelines, what security
measures would you implement to protect PII from day 1? I’m an experienced dev
but not a security expert.

~~~
ummonk
Two factor authentication for all developer accounts, require TLS 1.2 to
access the website and add HSTS, have some system for ensuring all SQL queries
are sanitized, use bcrypt or scrypt with recommended settings to hash user
passwords, add a content-security policy, enable secure and same-site
attributes for cookies, as well as http-only, and add a double-submit csrf
token. That should cover the basics to start with, in rough order of priority,
assuming you're building a web app.

Also, in general, be conservative about what PII you collect; hackers can't
steal information you don't have.

------
miohtama
They will be punished in European Union where they have business presence.
They had EU passports there. Under GDPR negligence is punishable.

UK ICO hopefully will intervene in few months.

In USA remedy actiona are class action lawsuit driven and corporations do not
have incentive to change their behaviour.

------
alexeiz
I logged into Marriott to change my password... and I couldn't. Their web page
responsible for changing password times out. What kind of POS system is that?

~~~
zachberger
Seems like you've been out of the loop. They've been experiencing massive
computer problems since August.

[https://www.wsj.com/articles/inside-the-marriott-starwood-
lo...](https://www.wsj.com/articles/inside-the-marriott-starwood-loyalty-
program-turbulence-1543416010)

------
germainelong
Companies should not be allowed to have such sensitive data or the punishment
should be severe - I mean the entire board should look at doing time.
Currently as the law is, the rich can just laugh and carry on.

------
IshKebab
What can malicious people do with my passport number?

~~~
jandrese
Create a fake passport to travel under your name and commit crimes. Try not to
be surprised when you discover an arrest warrant in your name for sex
trafficking in Belarus.

~~~
ghaff
Not that one wants this sort of information to be leaked of course, but it's
hard to see information that is routinely copied by hotel desk clerks and
which is written down on countless forms is deeply sensitive information that
will cause dire outcomes if it gets out.

~~~
coltonv
You mean like your bank account number, which is constantly typed into online
forms of all sorts of websites. Or your credit card number, which you probably
say verbally into the phone to pay your bills?

Truth is, lots of extremely sensitive data exists in insecure states all the
time.

~~~
ghaff
For that matter, your bank account number goes on pieces of paper called
checks that many of us give to individuals and companies all the time to pay
bills.

So, yes, I draw a distinction between numbers that we hand out willy-nilly and
truly sensitive information. There's a big difference between my checking
account number and my health records.

------
alltakendamned
Now chant with me... GDPR... GDPR... GDPR...

------
amrx431
And to which software sweatshop was the IT out sourced to ?

