
Marriott says 5.2M guests exposed in new data breach - pseudolus
https://www.reuters.com/article/us-marriott-intnl-data-breach/marriott-says-5-2-million-guests-exposed-in-new-data-breach-idUSKBN21I3DC
======
avz
The reason the practice of collecting consumer data is so prevalent is that it
is very easy to do and opens potential opportunities for the business in
future. Never mind that it exposes consumers to risks.

The practice won't stop until consumer data becomes a liability for any
business touching it. At that time, only businesses that are actually able to
utilize the data to derive revenue sufficient to compensate the liability will
continue to collect it. Hopefully, in many cases the revenue would come about
as a result of creation of some value for the consumer.

------
jakub_g
> contact details, loyalty account information and additional personal details
> such as gender and birthdays

I'm always wondering why a random service would need a date of birth (apart
from validating "the person is an adult"). Some of them give you a special
promo for your birthday, but I guess I can live without that.

Except banking & government services, I typically provide a fake one if
required, because, WTF?

~~~
sneak
Name + DOB to disambiguate are the lookup keys they pass to data brokers to
identify you, given a government ID (required to check in to a hotel). It
gives them access to things like address history, email address history (for
crosslinking of account records), credit rating, marketing channel tags, et c.

Same goes for the phone number that some website registrations demand. It's
not to call you, it's to lookup your name and address and annual income.

~~~
irrational
Huh, I chose a random date from the year before I was born and use it whenever
sites ask for my birthday. I’ve never had one come back and say that isn’t
really my birthday.

~~~
Scoundreller
And for Dairy Queen, I gave them a date in the summer. Getting coupons in the
middle of winter isn't too useful!

------
reedwolf
Luckily, Mariott doesn't have anything else to worry about right now.

~~~
icebraining
Pandemic aside, they still have a $100M GDPR fine hanging from a previous
breach!

[https://www.theregister.co.uk/2020/01/13/ico_british_airways...](https://www.theregister.co.uk/2020/01/13/ico_british_airways_marriott_fines_delayed/)

------
tmlee
Every time when I asked for my copied ID to be watermark when checking-in at
hotels, they always gave me a strange look - as if I do not trust their
information security.

~~~
imglorp
Would you elaborate how to do this?

~~~
eneveu
Yeah, I would like some more details. Not sure I understood what exactly it
means to "watermark" the ID. Is the goal to change it subtly to find out if it
was leaked? Or is the goal to redact parts of it?

------
bogomipz
The last breach was November of of 2018 . They have had a year and a half to
fix their abysmal security practices. Instead they choose to focus their
efforts in that time on a ridiculous branding juggernaut("Bonvoy".) Seriously
fuck this company. I hope people vote with their wallet.

~~~
elipsey
Every Marriott I have ever been in was chosen for me, because of their
business-friendly group booking system. There's an agent-principle problem
with hotels that rely on corporate group rate and conference customers.

I went to the fedex store in a Marriott a couple of blocks from here to drop
off a pre-paid parcel, and they wanted a $20 "convenience" fee to leave it on
the desk. Maybe Marriott doesn't need to care about guest infosec because
guests are the product, not the customer.

I mean, no one pays $27 of their _own_ money for a continental breakfast...

~~~
Keverw
Wow, never heard of paying to drop off a package. Is that common? I thought
the shipping fees or postage if gov post office is what’s suppose to pay for
that.

~~~
elipsey
I think the Fedex Store is operated by a private firm, and can therefore
charge whatever it likes.

------
SketchySeaBeast
I imagine this will probably be mostly duplicate data from last years data
breach. What a continual mess.

~~~
Drip33
On the bright side, nobody else is booking hotels anymore so they have time to
fix their systems this time around.

~~~
waterfowl
they've furloughed 2/3 of their corporate HQ staff

[https://wtop.com/business-finance/2020/03/marriott-
furloughs...](https://wtop.com/business-finance/2020/03/marriott-furloughs-
thousands-at-its-bethesda-headquarters/)

~~~
spydum
Yup and the individual hotels are being cut just as hard if not harder. Bad
days to be in the hospitality biz.

------
ogre_codes
Is it safe now to just assume that most everything about me has been exposed
to someone? My only hope is that the number of places I've provided bogus
information to creates enough noise that the truth is obscured some.

~~~
chrischen
Probably (Mastercard provides free monitoring of leaked databases:
[https://mastercardus.idprotectiononline.com/enrollment/embed...](https://mastercardus.idprotectiononline.com/enrollment/embedded.html))
however the service is kinda garbage because they censor it so much that I
have no idea what of my data is actually leaked), but from a quick Google
search it looks like you've voluntarily given out a lot about yourself
anyways. I think most people have and are lulled into a sense of false
security simply because no one has a need to target them yet. Sort of like the
"I've done nothing illegal so I have nothing to fear" mentality but substitute
government with criminals.

~~~
notkaya
I often wonder how big my data footprint is. I don't have any social media,
and I cycle between a few handles on any publicly facing site I keep an
account with. I suppose Google must have all of my search history associated
with my main email address, but I use several different emails and browsers in
my day to day.

I guess I'm wondering how good all of these companies are at sharing data
between themselves. What kind of data is exposed when I use my primary email
to log into Zoom or Spotify on a work computer, or my phone, or one of my
relative's computers? To what extent do these companies coordinate and share
this data?

It all just seems like a really big unknown to me, and I'm relatively tech
savvy.

------
president
This is the new norm. These hacks are not going to stop until these companies
are actually punished for these breaches. One of the many things that are
contributing to loss of faith in our system.

------
yoaviram
"Fool me twice, shame on me"

If you live in the EU or California and didn't send Marriott a GDPR/CCPA
deletion request after the first breach please do it now:
[https://yourdigitalrights.org/?company=marriott.com](https://yourdigitalrights.org/?company=marriott.com)

------
tzm
This is in addition to the 500 million customer breach in September, 2018.

[https://sensorstechforum.com/500-million-customers-
marriott-...](https://sensorstechforum.com/500-million-customers-marriott-
starwood-data-breach/)

------
josho
What protections/power do consumers have when their personal information is
exposed like this?

~~~
foob4r
Complain about it online. /s

------
thelock85
How does one verify that the reported details exposed in the breach are the
actual details? If that's impossible or really hard to do, wouldn't Marriott
deny culpability given the pervasiveness of identity/CC fraud?

------
joshstrange
I wonder how many more instances of "taking out the trash" we are going to see
as this pandemic continues. Suddenly it's like everyday is Friday...

------
ycombonator
Marriot is an outsourced shop (TCS, Cognizant et. al). They are an empty shell
run by “managers”.

~~~
stevewodil
Shocking that outsourced IT can't secure customer data. In my own experience
with outsourced IT (specifically outsourced to India) it was extremely
worrying that the people managing an IT infrastructure had no idea about very
basic IT and had to ask the same questions over and over.

I do not trust Accenture. Fuck them.

~~~
devdas
The paycheques of staff at these firms come from following process. The big
perk they offer competent employees is to get a US or EU work visa and be
deputed on-site (that is easily a 10X salary hike for people with less than 10
years of experience), and that perk is how they keep salaries low.

You could get more competent people, but they are less likely to follow
process (which violates contract terms), and would cost more.

Edit: Also, if you work in one of the big service firms for a US client, you
will have to do your day job, and then return to the office later at night to
have meetings on US time.

------
Wmamouth
Marriott is not having a great month.

------
arghblarg
That headline, geez... remove the last four words and I guess it could be
much, much worse :o

~~~
adrianmonk
Yeah, it is a bit of a garden-path sentence
([https://en.wikipedia.org/wiki/Garden-
path_sentence](https://en.wikipedia.org/wiki/Garden-path_sentence)).

------
sneak
This is a good reason to carry a fake ID and a corporate credit card issued in
the same name. (Most banks will allow you to issue subaccount cards on a
corporate credit line in any name you type in the box.)

Being able to predict when you might be at a given hotel in the future (which
is possible from one's stay history, e.g. a conference you attend every year)
is tremendously useful for blackmailers, kidnappers, and the like.

I personally refuse to allow my PII in these databases on these grounds, and
these days it's impossible to get a hotel room without an ID, so this is the
only option.

