Identity Stolen Because Of The Marriott Breach? Come And Claim Your New Passport

It’s The Least They Could Do. Really. The Bare Minimum

passport

Hotel-chain turned data faucet Marriott says it will help some customers cover the cost of replacing stolen documents.

The company on Friday confirmed to The Register that customers who fall victim to fraud as a result of forged passports will be eligible to claim a replacement passport at Marriott’s expense.

“As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” a spokesperson told El Reg.

“If through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”

This after last week’s revelation that half a billion customer records collected over four years of hotel bookings had fallen into the hands of criminals who managed to get into Marriott’s Starwood reservation system.

In addition to encrypted card details, the attackers were able to access customers’ name, mailing address, phone number, email address, passport number, Starwood account number, date of birth, and gender.

The attackers also would have been able to look at information on when customers stayed with the hotels, though that info would have been of far less value.

Earlier this week, Senator Charles Schumer (D-NY) called on the company to cover the costs of new passports for the customers who have fallen victim to fraudulent activity as a result of the data theft.

“A new passport costs $110. Marriott must personally notify customers at greatest risk,” Schumer Tweeted.

“And Marriott should pay the costs of a new passport for victims who request it.”

Despite the calls for Marriott to cover costs in case of fraud, actually cloning a US passport would require much more than a passport number, as the US State Department recently noted.

Original Source Here

500 Million Marriott Guest Records Stolen in Starwood Data Breach

Marriott International Starwood Hotel Data Breach

The world’s biggest hotel chain Marriott International today disclosed that unknown hackers compromised guest reservation database its subsidiary Starwood hotels and walked away with personal details of about 500 million guests.

Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion in 2016. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

The incident is believed to be one of the largest data breaches in history, behind 2016 Yahoo hacking in which nearly 3 billion user accounts were stolen.

The breach of Starwood properties has been happening since 2014 after an “unauthorized party” managed to gain unauthorized access to the Starwood’s guest reservation database, and had copied and encrypted the information.

Marriott discovered the breach on September 8 this year after it received an alert from an internal security tool “regarding an attempt to access the Starwood guest reservation database in the United States.”

On November 19, the investigation into the incident revealed that there was unauthorized access to the database, containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

The stolen hotel database contains sensitive personal information of nearly 327 million guests, including their names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date, and communication preferences.

What’s worrisome? For some users, stolen data also includes payment card numbers and payment card expiration dates.

But, according to Marriott, “the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” Attackers need two components to decrypt the payment card numbers, and “at this point, Marriott has not been able to rule out the possibility that both were taken.”

“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” the company said in a statement.

Marriott confirmed that its investigation into the incident only identified unauthorized access to the separate Starwood network and not the Marriott network. It has also begun informing potentially impacted customers of the security incident.

The hotel company has begun notifying regulatory authorities and also informed law enforcement of the incident and continues to support their investigation.

Since the data breach falls under European Union’s General Data Protection Regulation (GDPR) rules, Marriott could face a maximum fine of 17 million pounds or 4 percent of its annual global revenue, whichever is higher, if found breaking any of these rules

Original Source Here