
Marriott’s breach response is so bad, security experts are filling in the gaps - guiambros
https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/
======
TeMPOraL
Could someone explain to me what's up with the "monitoring services"? I
recently read a book on infosec risk, and they keep mentioning that the usual
response for data breach involves sponsoring a "credit monitoring service" for
customers. Marriott is now referring people to some non-credit "monitoring
service", that (from skimming their site) ultimately tries to fill in some
holes left by "credit monitoring".

Here's what I don't understand:

\- Why?

\- Why is that not a service provided by a bank, as a part of having a credit
card?

\- Why do individuals have to pay some random third parties to protect
themselves from some fraudster defrauding some bank via data obtained from
some company (even if, in publicized breach cases, this gets covered by
breached company)?

\- (Somewhat related) how is it that your "credit score" isn't just a number
on your bank dashboard, but you have to pay third parties to discover it?

It can't be that all of this is just a legalized racket, can it? Because if
feels like it is.

~~~
koolba
> \- Why?

Because they’re probably paying Marriot for the privilege of being listed as a
provider for monitoring services. Once the free tier runs out they’ll try to
milk the consumers for an ongoing protection charge.

> \- Why is that not a service provided by a bank, as a part of having a
> credit card?

Separation of concerns. A bank or card issuer cares more about covering their
own liability for fraud on a particular card. They don’t care if a new one
gets issued in your name somewhere else or if a line of credit gets opened.

> \- Why do individuals have to pay some random third parties to protect
> themselves from some fraudster defrauding some bank via data obtained from
> some company (even if, in publicized breach cases, this gets covered by
> breached company)?

That’s not strictly true. Freezing your credit across all the major credit
agencies is free. They likely don’t want you to know or do that as it also
limits junk mail for credit cards.

> \- (Somewhat related) how is it that your "credit score" isn't just a number
> on your bank dashboard, but you have to pay third parties to discover it? It
> can't be that all of this is just a legalized racket, can it? Because if
> feels like it is.

It _is_ a racket with a private sector origin that effectively got
standardized over the years. There’s a number of private organizations that
provide “credit scores” with FICO being the most prominent.

Starting a few years ago most financial providers provide free access to your
current score or some “fako” equivalent.

~~~
fyfy18
In the UK much the same racket is going on. A couple of years ago I was the
target of identity theft, which involved somebody walking into a phone store,
and giving for 'security purposes' my full name, address and date of birth,
and walking out with a new iPhone on contract. I am a director of a limited
company, so all of this information is freely available online.

I eventually got it sorted (the suggested route of contacting Action Fraud did
nothing; I had to make numerous proactive calls to the network's fraud team),
but in order to prevent it from happening again they suggested I mark myself
as high risk with the credit agencies (CIFAS protective registration), which
involves paying a £10/year fee to set a boolean on my file.

I'm tempted not to renew it, and if it happens again send a strongly worded
letter telling them to cease all communications as there has been an error on
their part (maybe GDPR gives more powers in this case?). I'm not a heavy
credit user, so the impact on my credit score isn't a concern.

For anyone concerned, the best way I found to monitor this is through free
credit score monitoring services such as ClearScore. Through their website I
can see any searches on my credit score (unfortunately they don't notify you).
If a search appears for a company you don't recognise, it is most likely an
indication of something similar going on.

~~~
jackweirdy
I use ClearScore too (which covers Equifax), as well as the MoneySavingExpert
Credit Club which covers Experian, and is also free:
[https://moneysavingexpert.com/creditclub](https://moneysavingexpert.com/creditclub)

~~~
rutthenut
I don't believe that these 'free' credit score services are free, you just
don't pay them a monthly fee. Instead, they make money from having your
financial details, presumably to sell you other services. Same as farcebook et
al, not really free at all.

~~~
Spare_account
I use Noddle (operated by CallCredit) and I don't recall ever having been
upsold anything.

Edit: After logging back in to have a look, it turns out that the website has
a bunch of cross-selling adverts mixed in and around the 'free' credit-
reporting service:

[https://imgur.com/bBl8y2T](https://imgur.com/bBl8y2T)

Going through the process of drawing red circles around the adverts made me
realise 80% of the page is in fact advertising but for some reason I just
never noticed them. I like to think I have a built in uBlock in my brain
although I'm probably subconsciously absorbing their marketing message without
realising it.

------
Cyphase
Things like this seem to indicate an almost complete lack of competence in
regards to security and breach response. Can Marriott not afford to hire one
full-time, experienced, competent person to oversee security policy? Of course
they can. But it seems that they haven't, because someone who's job it is to
oversee security policy should certainly be right in the middle of Marriot's
response process, and should have caught something like this.

I'm not saying there are no competent people doing security at Marriott. If
you work at Marriott doing security work, I'm not trying to attack you; this
kind of thing is not one person's fault (unless it really, really, really is,
and not even then, because the other people in the organization shouldn't have
allowed such a single-point-of-failure). But really.. it's just abysmal.

~~~
JustSomeNobody
The top two items in the MBA handbook is firstly to keep personnel count as
low as possible (because the few left are more "productive" somehow) and
secondly to shrink any IT department to the bare minimum (it's a cost center,
no good comes from a cost center).

------
Angostura
To me the annoying thing about the e-mail from Marriott that I received, was
that it simply says my details 'may' have been breached and that 'some' of the
breached e-mails had various types of data stolen.

I understand this as an initial response. What I _don 't_ appreciate is the
lack of a line in the e-mail saying 'as soon as we have more details about the
extent of the breach for your particular account. we will let you know.

I still have no real idea what was stolen and I don't know if I'll ever be
told.

------
gammateam
Unions should post bug bounties on their employers for a more modern take on
relevance and contract negotiations

Because that two month strike was an exercise in futility

Would harden the employer system too

------
kop316
Personally, I would like to see a legislation similar to the Privacy Act of
1974 be passed that governs how cooperation's use PII:

[https://en.wikipedia.org/wiki/Privacy_Act_of_1974](https://en.wikipedia.org/wiki/Privacy_Act_of_1974)

------
davidhyde
Perhaps marriott.com would be at risk of being sent to junkmail if they sent
out mass security update emails. Maybe that’s a risk they weren’t willing to
take. They clearly only care about their business and not their customers so
why would they junk their domain?

------
ericd
Anyone know if there are any grounds for a class action?

------
eeeeeeeeeeeee
The letter I received from Marriott went straight to my spam folder (Gmail).

------
diminoten
I signed up for the monitoring service they provided, and much to my delight I
discovered the service retails for $130 annually.

I genuinely hope Marriott has to pay that price, even though I've given it no
information to monitor except my email address.

I suggest as many people as possible sign up for this service.

~~~
joshstrange
So it probably is a paid worse version of Have I Been Pwned...

