WBIW.com News - local

Brought to you by WBIW News and Network Indiana

Marriott Says Breach Of Starwood Guest Database Compromised Up To 500 Million Users

Last updated on Tuesday, December 4, 2018

(UNDATED) - With a recent announcement of a security breach through the extensive Marriott International hotel network, a Ball State University professor is recommending that people change their credit card numbers and be on alert for identity theft.

Marriott International, the world's largest hotel chain, announced Friday that a breach of its Starwood reservation database may have affected up to 500 million guests. It is potentially one of the largest breaches of consumer data ever.

"Data breaches of personal information including credit data are becoming commonplace in the U.S. and, as consumers, we have a right to be wary of it," said Rebecca Hammons, a professor in the Center for Information and Communication Sciences (CICS) at Ball State. "Today's disclosure by Starwood, parent of many hotel and property chains including Marriott, of the unauthorized access to millions of users' data is reminiscent of recent Anthem and Target hacks.

"As consumers, we have a right to credible and detailed information from Starwood. For example, if the nearly four years of unauthorized access was discovered in September, why is it still unclear who engineered the hack and their possible motivations? This could, for example, be a situation of mismanaged internal user access controls. Understanding such information can reduce consumer uncertainty and anxiety."

The world's largest hotel chain said it first received an alert in September from an internal security tool of an attempt to access the database. As part of an investigation, the company discovered there had been unauthorized access since 2014 and that an "unauthorized party" had copied and encrypted information.

Marriott said it determined on Nov. 19 that the information was from its Starwood database.

"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," the company said in a statement.

For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

There are some customers who may have also had their credit card information taken. While that data would have been encrypted, Marriott said it can't rule out the information may have been decoded.

Marriott said it had taken steps to address the breach and is working with authorities. The company said that the "unauthorized party" was able to copy and encrypt some information within its system "and took steps toward removing it," but did not detail how much data had actually been removed.

Personal information exposed in data breaches can often make its way to the black market, where it can be purchased and used to execute a variety of attacks on individuals including identity theft and targeted email phishing schemes.

The company has set up a website for any consumers who worry that their information may have been part of the breach and will be notifying customers by email. Marriott will also provide guests with one year of WebWatcher, a digital security service.

"We deeply regret this incident happened," Marriott President and CEO Arne Sorenson said in a statement. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

Brian Frosh, the attorney general of Maryland, where Marriott is headquartered, tweeted that his office was launching an investigation into the breach.

"The Marriott data breach is one of the largest and most alarming we've seen," Frosh tweeted. "My office is launching an investigation to find out the circumstances that led to the breach and its impact on consumers."

Professor Hammons suggests that consumers who travel frequently use a single credit card with a manageable limit for such travel needs and memberships, whether it is airlines, hotels, rental cars, or ride-sharing or other such services.

"This makes it easier to quickly shut down any fraudulent activities, and many card services will reach out to you if their algorithms detect unusual activity. If you use a specific credit card with Starwood properties for your travel, you might proactively contact your card service provider and change your card number, despite the inconvenience of updating your online use of the current card as a method of payment."

Hammons has extensive technology industry experience in establishing and leading software quality assurance, product development lifecycle services, and project management teams.

"As consumers, we should be outraged by the seemingly endless flow of such breaches in the U.S.," she said. "We must lobby our legislators at the state and federal levels to pursue protections such as those provided to European Union residents through GDPR (General Data Protection Regulations) that enable greater consequences to companies for failing to implement best practices in assuring the security of our personal data.

"Given that Starwood has a global clientele, it is very likely that they will be subjected to GDPR regulations and potential fines, which became effective last May. We should have similar protections in the U.S., yet our data security protections significantly lag other developed countries. In this matter, we should be consumer-driven and not business-driven in our laws."

1340 AM WBIW welcomes comments and suggestions by calling 812.277.1340 during normal business hours or by email at comments@wbiw.com

© Ad-Venture Media, Inc. All Rights Reserved.

Click here to go back to previous page