Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Privacy

Marriott Discloses New Data Breach Impacting 5.2 Million Guests (cnet.com) 12

An anonymous reader quotes a report from CNET: Marriott International said Tuesday that names, mailing addresses, loyalty account numbers and other personal information of an estimated 5.2 million guests may've been exposed in a data breach. This is the second major security incident to hit the hotel group in less than two years. Marriott said it spotted that an "unexpected amount" of guest information may've been accessed at the end of February using the login credentials of two employees at a franchise property. The hotel group said information exposed may include names, addresses, emails, phone numbers and birthdays as well as loyalty account details and information like room preferences. Marriott said the investigation is ongoing but that it doesn't believe credit card numbers, passport information or driver's license numbers were exposed. In 2018, Marriott announced that hackers compromised the reservation database for its Starwood division, exposing records of up to 383 million guests and more than 5 million passport numbers.
This discussion has been archived. No new comments can be posted.

Marriott Discloses New Data Breach Impacting 5.2 Million Guests

Comments Filter:
  • by Snotnose ( 212196 ) on Tuesday March 31, 2020 @07:37PM (#59894998)
    Who are we holding responsible? Surely not the Cxx suite that decided security wasn't worth spending money on.

    I've said it before, I'll say it again. I understand you can't hold the Cxx's personally responsible. But you can sure as shit levy a fine large enough to make the stockholders take notice. As in, any dividend goes to zero for a few years, no money for stock buybacks, no money to upgrade your equipment. In other words your credit goes to junk status and the fines ensure it stays there for a while.
    • Kill the corporate charter, make them pay taxes. That might poke them a little. Problem is that there is insufficient demand from the public, just not an election issue.

    • by samdu ( 114873 )

      You don't actually know whether the CXO didn't value security. In general, I wouldn't expect a CXO (outside of perhaps a CTO) to know one thing about back-end IT security. It's not their job. That's why they hire security experts and IT people. Now it MAY be the case that IT was underfunded. But it also MAY be the case that the person/people in IT had sufficient funds but were simply incompetent. Or it may be the case that two employees were complete dumbasses and were socially engineered. Pro tip - there's

      • Ultimately, the buck stops at the CTO and/or CIO. It is their responsibility to ensure they have the correct people in place with adequate funding. After the first breach, let alone the second, they should have perform a root cause analysis to determine where the deficiencies were. As for handing over the keys, implementing MFA prevents the vast majority of social engineering attacks. MFA isn't infallible, which is why you also monitor your systems closely for suspicious activity so you can detect when a br
    • by AmiMoJo ( 196126 )

      There's no responsibility (except for the hackers) because there is no obligation to protect your personal data. Until there is a law that says they are liable for massive fines and maybe some criminal negligence they consider themselves blameless victims.

  • Guess it will be more even if the breach is smaller. 2 years after the first one a second massive breach need response.
  • Now nobody listens to non-corona news anyway.

  • by gweihir ( 88907 ) on Wednesday April 01, 2020 @07:47AM (#59896586)

    Everything they could absolutely not avoid doing, that is. Time to make this criminally negligent and send all those responsible to prison. No, that will not be the sysadmin, that will be management.

  • Did no one actually READ the summary? I know that this is /. and that no one actually reads the articles. I also know it is fun to bash CXX level executives. But the summary is very clear.

    using the login credentials of two employees at a franchise property.

    So either a) there are a couple of dishonest employees trying to make a buck, b) a couple of employees had weak, easy to guess passwords, or c) someone got phished.

    Yes, managers should be instructing employees on phishing prevention, and on password security. But the employees are responsible for actually listening aren't

Never ask two questions in a business letter. The reply will discuss the one you are least interested, and say nothing about the other.

Working...