
Marriott hack hits 500M Starwood guests - tooba
https://www.bbc.co.uk/news/technology-46401890
======
ransford
Marriott's incident page [1] links to a Q&A page [2]. Apparently the
forthcoming sorry-we-lost-your-data notifications will come from
"starwoodhotels@email-marriott.com".

"Let's immediately set up a separate domain name that looks like ours" remains
one of the weirdest antipatterns in incident response.

[1] [http://news.marriott.com/2018/11/marriott-announces-
starwood...](http://news.marriott.com/2018/11/marriott-announces-starwood-
guest-reservation-database-security-incident/)

[2] [https://info.starwoodhotels.com/](https://info.starwoodhotels.com/)

~~~
cm11
Is this to purposefully increase likelihood of getting caught in a
spam/phishing filter? So they claim they've reached out while also (probably
correctly) claiming it's not their fault if customers didn't get it.

~~~
CobrastanJorji
Interesting theory. My theory was that there's incident management contractors
get this sort of business and don't want to bother integrating with any
existing company's infrastructure, so they just set up something entirely
different.

~~~
reaperducer
Probably not so much "don't want to bother" as "can't do it in a timely manner
because of the company's internal processes"

Once of the companies I work for has all kinds of crazy domains because the IT
department and the Communications Department don't get along the way they
should.

------
crazygringo
Is it time for us to simply accept that it's inevitable that, at some point,
everything will be hacked, and hacked often?

Should we be focusing our efforts more on how to make "identity theft" (i.e.
fraud) more difficult, even _when_ someone knows all your data?

Something more tied to your physical self, whether 2FA or something else?

~~~
jrue
> Is it time for us to simply accept that it's inevitable that, at some point,
> everything will be hacked, and hacked often?

I disagree. I’d take the Economists route, which is looking for the incentives
that drive motivation. If companies were held to a higher standard of
accountability, imagine how many would beef up their security. For decades,
security researchers have been poking fun at how ridiculous some of these
sites are at handling security, and nothing ever happens.

Now, imagine if there was severe economic accountability to a company that was
hacked. Perhaps payouts to each person affected (in this case, to all 150m). I
imagine you’d see security become a top priority very quickly at most
companies.

~~~
chibg10
As a developer, do you really want to live in a world where "security is a top
priority" at every company? Does such a world even make economic sense after
accounting for the opportunity cost of the time most that developers would
otherwise spend actually building new products and features?

While companies could probably do better than they are right now, hacks like
this are probably never going to be eliminated. There are too many companies
and too many developers for nobody to make mistakes, even when they're being
mindful not to. Investing in solutions that assume hacks will happen seems
reasonable to me.

~~~
PeterStuer
'As a car designer, do you really want to live in a world where "safety is a
top priority" at every company? Does such a world even make economic sense
after accounting for the opportunity cost of the time most that designers
would otherwise spend actually building new products and features?'

Most professions and companies are (at least in theory) held accountable for
their impacts.

~~~
closeparen
No car on the market is as safe as the absence of a car. Car companies make
tradeoffs towards safety where it's reasonable and economical, but still
fulfill their baseline mission, which is inherently dangerous. People are
injured and killed in car crashes every day; car companies are not "held
accountable" unless there's a specific defect and they should have known
better.

~~~
redbeard0x0a
Such as a company knowing better than to keep their servers patched, to have a
process to make sure their servers are patched, to have a process that shows a
list of servers that are _not_ patched, etc.

There are a lot of really stupid mistakes made in a lot of these data
disclosures that a competent IT team (and dev team) can prevent from
happening. The current state of things is that there are hardly any
consequences for losing people's data, just make a bulk purchase of credit
monitoring and call it a day. This is cheaper than actually hiring the right
people and implementing the correct processes.

------
noja
"We cannot find any evidence that the stolen information has been misused" \-
says every company ever, as if that means anything.

I give it 24 hours.

~~~
raisedbyninjas
The only logical conclusion is the data must have been stolen as an academic
exercise.

~~~
bduerst
How lucky Marriott is, to have some good Samaritans to stress-test their
security without the intention to misuse their user data.

------
eletious
Not entirely on topic, but Marriott seems to be dealing with some internal
phone abuse issues as well - calls going directly to hotel rooms (bypassing
the front desk) and asking for card details to fix broken incidentals records.
I got a call like this yesterday and found out that it's enough of an issue
that they've printed out signs in the lobby warning guests to not hand out
information.

~~~
SmellyGeekBoy
That's interesting. I've had a couple of calls like this in the past and have
always insisted on going to reception instead of giving details over the
phone. Thankfully mine turned out to be genuine.

------
keehun
Here's a link to the official Marriott release, FWIW:
[http://news.marriott.com/2018/11/marriott-announces-
starwood...](http://news.marriott.com/2018/11/marriott-announces-starwood-
guest-reservation-database-security-incident/)

------
ourcat
Note: This has affected Marriott's "Starwood" division.

Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four
Points by Sheraton. Marriott-branded hotels use a separate reservation system
on a different network.

~~~
pgrote
Odd. It looks like the intrusion could be the cause of the hurried merge.

[https://www.wsj.com/articles/inside-the-marriott-starwood-
lo...](https://www.wsj.com/articles/inside-the-marriott-starwood-loyalty-
program-turbulence-1543416010)

According to the article the systems were merged 3 months ago.

"The company resolved one major issue involving elite-night credits earned
from credit card spending just last week, more than three months after the
integration. That problem left many members in limbo, unsure of how close they
were to hitting elite-level thresholds before year’s end."

The intrusion was detected on Starwood's system in September according to the
BBC article.

"On September 8, 2018, Marriott received an alert from an internal security
tool regarding an attempt to access the Starwood guest reservation database.
Marriott quickly engaged leading security experts to help determine what
occurred. Marriott learned during the investigation that there had been
unauthorized access to the Starwood network since 2014. Marriott recently
discovered that an unauthorized party had copied and encrypted information,
and took steps towards removing it. On November 19, 2018, Marriott was able to
decrypt the information and determined that the contents were from the
Starwood guest reservation database."

~~~
sailfast
This sounds more like Marriott having better monitoring and once the DBs got
merged they figured out somebody had been in the Starwood network for four
years.

------
cs702
As a first rough approximation, this figure includes _everyone on HN_.

It appears to include everyone who's ever stayed in a room at a Marriott, St.
Regis, Ritz-Carlton, Bulgari, W Hotel, JW Marriott, The Luxury Collection, Le
Meridien, Renaissance, Westin, Tribute Portfolio, Sheraton, Autograph
Collection, Design Hotel, Marriott Executive Apartments, Delta Hotels &
Resorts, AC Hotels, Element, Gaylord, SpringHill Suites, Courtyard, Residence
Inn, Fairfield Inn & Suites, Moxy Hotels, Protea Hotels, TownePlace Suites,
Aloft, Four Points by Sheraton, or Marriott Vacation Club property.

For reference, there are under 130M households in the US and around 200M
households in the entire EU.

~~~
isostatic
What possible reason would Marriot have to have details of my stay from 6
years ago on record, especially on their reservation system.

~~~
pc86
Customer reactivation.

Other marketing activities.

Resale to third parties.

You at any point requested to be added to their mailing list and that's linked
to purchase history.

Web analytics linked to purchase history.

Corporate policy is not to delete data.

Laziness.

So there's seven reasons of various legitimacy off the top of my head.

~~~
isostatic
Not convinced any of those would pass the GDPR legitimate interests test,
especially if I haven't specifically consented to such reasons.

Resale to third parties.

Corporate policy is not to delete data.

Laziness.

especially are great examples of why the GDPR was created, even once we ignore
the advertising industry.

------
trollied
"It said some records also included encrypted payment card information, but it
could not rule out the possibility that the encryption keys had also been
stolen."

Oh dear.

~~~
no1youknowz
Can anyone recommend solutions (for those that don't know). On how to have an
encrypted database for sensitive information, i.e first name, last name, ip,
geo data, etc and the encryption keys not be available to hackers when they
have essentially gained root?

~~~
CGamesPlay
Have a server responsible solely for decryption and audit access to it. The
server doesn’t issue keys, it literally does the decryption. AWS KMS can do
this for you.

The gist is you create an encryption key for your row, encrypt it using your
encryption service, and store it next to your actual payload. To decrypt, ask
the service to decrypt the key which you use to decrypt the payload. If your
database gets popped, your decryption server hopefully didnt because you
hardened it specifically.

------
lsiunsuex
It's like you need to keep a running diary of every single service you've used
/ every single place you've been so when something happens like this, maybe
you can find out if you actually used that service or visited that place.

I think I stayed at a Starwood 2 years ago in PA? But I don't remember if it
was a Starwood or some other Marriott brand.

~~~
matwood
Does it really matter at this point? It's safe to assume all your data has
been compromised. Given the state level IRS hacks that have happened in quite
a few states, the OPM hack, and the hundreds of business hacks no one is safe
anymore. Everyone should operate under the assumption their information is
known and do things like freeze their credit and keep an eye out for the data
being used.

~~~
lsiunsuex
Sure it does. Just because they "apologized" doesn't mean it should be
acceptable or dismissable.

These breaches keep happening and these companies continue to be not held
accountable or not punished in anyway, except for bad press for 2-3 days until
everyone forgets and it's on to the next security breach.

You want me to shop at your store or use your services, you want me to join
your mailing list or give you my address, CC and phone # - I expect at the
least, for that information to be kept secure.

~~~
matwood
I agree companies should be punished and held accountable. As an aside, how
does one go about punishing the government though?

The point I was making is that everyone should assume their data is already
compromised. The weakest link will always be an issue, and in many cases it is
one you cannot control - the government.

~~~
lsiunsuex
Us in the IT field - programmers, sys admins, whatever - yes, we probably
should assume our data is insecure because we're in it. We see these breaches
here on HN and we know what to expect when they happen.

As everyone always says about these types of things. We are not the target
market so to speak.

Joe user doesn't know to read HN and gets their news from the TV IF they
happened to be watching when it was covered.

I'm agreeing with you. I know we should know to be careful. But it's still not
acceptable.

------
cmurf
History being a guide, Marriott will obtain a contract with some financial
security monitoring service, and offer a ~12 month free period for affected
consumers. I've always thought these products are b.s. The advertising is
scammy. I'm betting they leak even more data, like your purchase histories.

Does anyone know of the efficacy of these monitoring services? If they were
really even slightly more effective than even odds, I would say that consumer
protection laws should require free monitoring for a longer period, say 24
months or even 36 months. Ironically though, proper monitoring means sharing
all of this same personal information with a 3rd party, and then some.

I also wonder if it's just more effective to take advantage of the free credit
report freezing feature, since that doesn't require me to share even more
personal information with a 3rd party; and actually restricts access to
personal information instead of expanding it.

------
PunchTornado
I guess without GDPR there wouldn't have been a push for these companies to
notify of breaches so early. We could have found out about it next year.

Also given the potential penalties, probably companies will now start to
invest more in proper IT systems.

~~~
ramblerman
Was that part of GDPR?

I know they have to hold the minimum amount of information needed, and inform
you clearly what they know.

But weren't they always required to announce a breach?

~~~
robin_reala
GDPR has a specific 72 hour time limit on breach announcements:
[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/personal-data-breaches/)

In this case, they discovered the breach on September 8, 2018, and announced
it on 30th November, 2018. That’s 1,464 hours, a little bit more than 72.

~~~
PunchTornado
hmm, they say they reported it to the regulatory authorities at the time of
the incident. So i guess they are safe on that one.

~~~
robin_reala
Ah, true. I hadn’t internalised that you only have to announce it publically
in cases with “a high risk of adversely affecting individuals’ rights and
freedoms”.

------
donkeyd
I recently got added to Starwood Preferred Guest. I still don't know why they
have my e-mail (don't seem to have stayed at any of their hotels), but I guess
it's out there now, even though it wasn't in HIBP before.

------
codedokode
If they didn't keep the data from long ago, then the damage would be much
smaller. Such companies definitely need some help from lawmakers. Companies
shouldn't keep personal information for years.

------
hamilton
A handful of years ago, Paul Ohm wrote about a concept he called the "Database
of Ruin" [0]. I think about it every time one of these pieces of news breaks.

"Once we have created this database, it is unlikely we will ever be able to
tear it apart."

[0] [https://hbr.org/2012/08/dont-build-a-database-of-
ruin](https://hbr.org/2012/08/dont-build-a-database-of-ruin)

------
duxup
>It said an internal investigation found an attacker had been able to access
the Starwood network since 2014.

Jebus that seems like a long time before discovering it.

------
koboll
>"We deeply regret this incident happened," the company said in a statement.

This is peak non-apology apology.

~~~
duxup
Well I'm sure they regret it... it's very inconvenient for them.

------
visarga
... and ... nothing will happen to Marriott.

------
bduerst
I just signed in to Marriott.com see what info they have on me that was
stolen, and was forced to change my password. It even required email
verification, which is good.

Then when I tried to log in with my new password I was rejected, saying my
account is 'under audit' for suspicious activity. God dammit.

Is anyone else unable to log in?

------
0xmohit
The New York Attorney General is opening an investigation into a Marriott data
breach that may have affected 500 million guests.

[https://twitter.com/NewYorkStateAG/status/106851007239602995...](https://twitter.com/NewYorkStateAG/status/1068510072396029952)

~~~
swarnie_
I would expect the EU to follow with GDPR shortly, massive fines incoming.

~~~
shawn-butler
Great massive fines, significant lawyer billing, some worthless credit
monitoring service free for 6 months and screw the affected consumers.

Let's see Target is probably the most obvious parallel: $202 million in
reported legal fees and other costs. $18 million to states (fines). $39
million to the financial institutions affected by the breach and a whopping
$10 million for the consolidated class action lawsuit (along with the $6.75
million for plaintiffs’ attorneys fees and expenses).

Oh wait, Target annual profits are $20 billion? Never mind.

------
CaptainZapp
Great!

My last stay at a Starwood property was in January 2016 at the Bangkok
LeMeridien.

Not that they would bother to set up a call center number for Switzerland.

Do they really expect me to call internationally at my expense to then hang in
a loop for an hour or so?

On the plus side: Nothing bad happened since then.

Nevertheless I'm not impressed.

~~~
bryanrasmussen
I'm thinking - they don't really expect you to call internationally to hang in
a loop for an hour or so but they have calculated that a certain number of
people will call internationally and hang in that loop whether or not any
single individual is highly unlikely to do so.

~~~
jgust
I'm willing to bet that they haven't calculated _anything at all_ and they are
scrambling to put out the fire.

~~~
freehunter
Remember when Equifax set up a "have I been hacked" site and that site was
then immediately hacked?

------
SketchySeaBeast
Outside of the privacy problems (which, let's be honest, our data is already
out on the web) if you changed your credit card since your last visit you're
probably safe on that particular financial attack vector, right?

------
imnotlost
I'm almost certainly in the database.

So I have to get a new passport, get a new phone number, get a new credit
card, change my email address... in the US, can I sue in small claims court to
recover the costs of doing these things?

~~~
randomsofr
don't forget to change gender and date of birth as well

------
TekMol

        It said some records also included encrypted payment
        card information, but it could not rule out the
        possibility that the encryption keys had also been
        stolen.
    

Why did the world end up with a pull-system for payments? Why do I have to
give out my credit card number and enable the other side to pull arbitrary
amounts as often as they like?

This is one of several things crypto currencies got right. You pay by
_pushing_ money to the other side.

~~~
pjc50
The short answer is that credit cards were invented over 40 years ago, to
operate in an offline and indeed paper-based system (hence the embossed digits
for use in mechanical duplicators). For a more modern system look at
contactless.

FWIW I think the "one shot push" model of cryptocurrencies has some serious
limitations which I think should be addressed by an "invoice" system - e.g.
you can easily pay the wrong person, or even an address which doesn't exist
and is owned by nobody! Not to mention dumb errors such as swapping the
payment and tip fields. It would be better if the payee crafted a cryptogram
for "please pay me (authenticated address) the sum of X", and the payer was
simply generating an approval of that.

~~~
TekMol

        It would be better if the payee crafted a cryptogram
        for "please pay me (authenticated address) the sum of X"
    

Are you talking about offline? Because on a website I would expect the payer
to simply copy&paste the address.

I would also expect a link type to evolve that browsers understand. Something
like "payto:1fs8e...?amount=0.01&coin=btc" to pay 0.01 bitcoin to 1fs8e...
Similar to the "mailto:user@host?subject=...&body=..." link type.

An when we talk about offline (paying for a restaurant or something) - isn't
there a visual link type already? I am not a user of crypto. But I think I
have seen barcodes or something used for this.

~~~
yesbabyyes
Something like the `bitcoin:` URI scheme?

    
    
      bitcoin:1fs8e...?amount=0.01
    

[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawi...](https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki)

------
brewdad
This was the kick in the pants I needed to finally take the time to freeze my
credit. I don't know how much it will help but it can't hurt, I guess.

------
drcode
Is anyone else noticing unusual downvotes on this thread? Anyone think it's
plausible a Marriot damage control team is participating on this thread?

~~~
pc86
I think it's unlikely that a Marriott "damage control team" cares about
comment vote totals on an HN thread.

~~~
drcode
I would usually agree, but near as I can tell the vast majority of the top-
level comments in this thread have a negative score and I find that
surprising.

~~~
ryacko
The most famous damage control team:

[https://en.m.wikipedia.org/wiki/Jackie_(dog)](https://en.m.wikipedia.org/wiki/Jackie_\(dog\))

Never underestimate collective stupidity.

------
Jabbles
How could it affect 500 million? 1 in 16 people worldwide have stayed in a
Marriott hotel? That seems like a lot...

~~~
pc86
500 million reservations from 150 million people/companies/entities.

------
aaaaaaaaaab
I hope they at least hashed the credit card numbers ( ͡° ͜ʖ ͡°)

~~~
tgtweak
Wishful thinking, they encrypted them so they could conveniently be recovered.

------
lawnchair_larry
They still don’t even use https, so this is not surprising.

------
magnamerc
When you start using Ethereum and web 3.0, the solution to data security
becomes quite clear. I'm sure I'm gonna get roasted here for even mentioning
this, but you'll all eventually come around.

------
dopamean
Why on earth would they hold onto passport numbers? The amount of data
companies hold onto is ridiculous. It can't all be necessary.

~~~
willvarfar
In many countries hotels are required by law to keep passport numbers of
foreign guests.

In the US there is, apparently, no federal law; however, it is often part of
state law: [https://travel.stackexchange.com/questions/76012/laws-
requir...](https://travel.stackexchange.com/questions/76012/laws-requiring-
identification-at-hotel-check-in)

In many more countries hotels do it despite it not being required; they just
do it to assist law enforcement agencies.

And doubtless they like to keep the data themselves as an effective way to
track and mine guests across multiple visits.

------
geggam
Privacy is dead. Long live... ?

~~~
brootstrap
Getting constantly hacked from all angles. FB AMZN GOOG AAPL are always
listening to us thru devices. Mega corps build systems that leave sensitive
data exposed to the public web. I'm curious to see what actually caused this
hack. I wonder if they used mongo db with default settings lol.

~~~
Latteland
I think the vast majority of these hacks come from some random office working
clicking on a doc in an email and opening it up in a microsoft app, on
microsoft windows. we've never really blocked that up yet. I don't see it
coming because someone hacked the backend of apple, google or amazon. who
knows about facebook.

------
rednerrus
I do not envy their ops team.

------
calebm
A nice article to read while sitting here in a Marriott.

------
nkkollaw
This is going to end so many marriages, it's not even funny.

------
code4tee
That’s quite a lot of gasoline being thrown on the whole train wreck that is
the Starwood integration.

~~~
Aloha
I wouldnt call it a wreck, probably 80% of members transitioned without any
real problem. For some though, its been awful.

------
drcode
A breach like this should mean that Marriott should immediately be in
bankruptcy, since the potential damage to any individual customer is well
above multiple thousands of dollars.

I wish some of these giant companies would see some real consequences for
their lax security practices.

------
sneak
I find this to be justification in carrying a fake ID and issuing a credit
card from my corporate line of credit in that cover name for use when renting
hotel rooms.

Every time a private organization demands your government ID to do business,
assume that this will happen eventually. Airlines and hotels immediately come
to mind, but I am sure there are lots of others. I'm not sure that air travel
with a fake ID is viable due to Secure Flight, however. Also, as rental car
insurance interfaces (potentially) with a police report/government ID, I am
not sure I will rent cars in the future.

When it comes to places you regularly or habitually sleep, this could mean
direct physical danger to you, depending on circumstance.

Protect yourself.

~~~
SketchySeaBeast
> When it comes to places you regularly or habitually sleep, this could mean
> direct physical danger to you, depending on circumstance.

Sorry, what are you saying here? That the online identity thieves will come to
your house?

~~~
sneak
That people looking to extort, blackmail, or kidnap you or your family can now
tail you from the hotels you usually/habitually frequent during conferences
you consistently attend. It lets them predict your future location so that
physical surveillance or ambush can be prepared.

~~~
SketchySeaBeast
I doubt that's going to be the result. I doubt that anyone is in any way that
important. It's going to be financial / identity fraud, there's no reason for
the thief to ever see your face.

~~~
sneak
Several thousands out of the 500 million that stayed at Starwood properties
are indeed that important.

~~~
SketchySeaBeast
Several thousand are so important that one may want to physically stalk them,
but not know their home address / travel habits until this particular leak? I
doubt it.

~~~
sneak
It is relatively simple to maintain a “home address” in a different place from
where you and your children sleep. It is not the case when you stay in a
hotel.

