Not to worry, Yahoo, you still had the largest data breach in corporate history, at 3 billion records. But at 500 million, Marriott is a strong second, and maybe should be first.
That’s because of the nature of the data that went out the door for about 327 million of the people who had stayed at a Starwood property on or before September 10, 2018. (And starting in 2014, because that’s how long it’s been since someone first broke into the system.)
The data included some combination of name, mailing address, phone number, email address, Starwood Preferred Guest (“SPG”) account information, birth date, gender, arrival and departure information, reservation date, communication preferences, and passport number.
Passport number? Yup. They kept them on file. And an undisclosed number of encrypted payment card numbers, expirations dates, and maybe–Marriott’s really not quite sure–enough information to let someone crack the encryption.
Yes, this is really, really bad.
Oh, and TechCrunch also noted the the claim that Russian cybercriminals got into the Starwood servers. It can’t keep getting worse, right?
You know the answer.
Marriott’s promised email notifications to affected customers will come from a fake-ish looking email address, as TechCrunch noted, and one that could be easily spoofed by people who want to cause even more damage. In other words, beware of phishing hacks that stand on the back of Marriott’s efforts to address the terrible position it’s put so many customers into.
And now we come around to the latest insanity. As part of its response, Marriott set up a website that ultimately points you to a third party service that “monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.”
The third party running the service, corporate investigations and risk management firm Kroll, of course is going to need information from you to see if it pops up on the dark web. Here is what they might want, directly from their website:
- name, address, phone number, and e-mail address
- date of birth, driver’s license number, social security number, passport number, and other similar information
- copies of government-issued photo identification, Social Security card and/or utility bill(s), where applicable
- credit card number and other financial account data, including your consumer credit file(s), as applicable
- your responses to security questions; the information you provide in customer service correspondence; and general feedback
You’re going to have to cough up enough information to see if they can match it to anything on the dark web. You’ll have to trust that everything will be fine. Which is what you did with Marriott in the first place.
Fat lot of good that did almost half the country.
How does this keep happening? As I explained in a piece over at Vice Motherboard, it all comes down to economics. The ultimate penalties big companies pay are so infrequent and small in comparison to their revenues that it becomes something just as easy to ignore. The millions of dollars you may hear about as the cost of a data breach is significantly smaller than a rounding error in accounting to them.
Not that I’m suggesting Marriott is ignoring this. Just a comment on the general treatment of customer data security by large corporations.
The only hope is that government officials take enough heat from voters that they put significant fiscal punishment into place. I’d settle, at least in this case, for Marriott to pay the cost for all the people who might now need to obtain a new passport. That at least would be a start.
But there’s the other factor: consolidation. Marriott is the largest hotel operator in the world. If you’re traveling, there’s a good chance you’ll land in one of its properties. Unless, of course, you remember all this nonsense and intentionally stay elsewhere.
Even if you don’t get more points, you might at least keep your data secure.