Marriott Discloses New Data Breach Impacting 5.2 Million Guests (cnet.com) 12
An anonymous reader quotes a report from CNET: Marriott International said Tuesday that names, mailing addresses, loyalty account numbers and other personal information of an estimated 5.2 million guests may've been exposed in a data breach. This is the second major security incident to hit the hotel group in less than two years. Marriott said it spotted that an "unexpected amount" of guest information may've been accessed at the end of February using the login credentials of two employees at a franchise property. The hotel group said information exposed may include names, addresses, emails, phone numbers and birthdays as well as loyalty account details and information like room preferences. Marriott said the investigation is ongoing but that it doesn't believe credit card numbers, passport information or driver's license numbers were exposed. In 2018, Marriott announced that hackers compromised the reservation database for its Starwood division, exposing records of up to 383 million guests and more than 5 million passport numbers.
And once again (Score:3)
I've said it before, I'll say it again. I understand you can't hold the Cxx's personally responsible. But you can sure as shit levy a fine large enough to make the stockholders take notice. As in, any dividend goes to zero for a few years, no money for stock buybacks, no money to upgrade your equipment. In other words your credit goes to junk status and the fines ensure it stays there for a while.
Re: (Score:1)
Kill the corporate charter, make them pay taxes. That might poke them a little. Problem is that there is insufficient demand from the public, just not an election issue.
Re: (Score:2)
You don't actually know whether the CXO didn't value security. In general, I wouldn't expect a CXO (outside of perhaps a CTO) to know one thing about back-end IT security. It's not their job. That's why they hire security experts and IT people. Now it MAY be the case that IT was underfunded. But it also MAY be the case that the person/people in IT had sufficient funds but were simply incompetent. Or it may be the case that two employees were complete dumbasses and were socially engineered. Pro tip - there's
Re: (Score:1)
Re: (Score:2)
There's no responsibility (except for the hackers) because there is no obligation to protect your personal data. Until there is a law that says they are liable for massive fines and maybe some criminal negligence they consider themselves blameless victims.
After the fined £99m for 2018 (Score:1)
Could there be any better time to disclose ?? (Score:3)
Now nobody listens to non-corona news anyway.
I am sure they did everything they could! (Score:3)
Everything they could absolutely not avoid doing, that is. Time to make this criminally negligent and send all those responsible to prison. No, that will not be the sysadmin, that will be management.
READ the summary, at least (Score:2)
Did no one actually READ the summary? I know that this is /. and that no one actually reads the articles. I also know it is fun to bash CXX level executives. But the summary is very clear.
using the login credentials of two employees at a franchise property.
So either a) there are a couple of dishonest employees trying to make a buck, b) a couple of employees had weak, easy to guess passwords, or c) someone got phished.
Yes, managers should be instructing employees on phishing prevention, and on password security. But the employees are responsible for actually listening aren't