![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
This time it's only a mere 500 million people whose information was compromised. The breech was detected in September and goes back to 2014! Apparently Starwood found their POS register system was compromised back then, and now it turns out it was a lot more than their registers! The criminals got in to their database and extracted information from it, then they encrypted it on Starwood's servers before extracting it! Starwood had software in-place called data-loss prevention tools, but since the stolen info was encrypted, the tools did not detect it.
VERY clever.
If Starwood had encrypted their entire database, they might have had a better chance of defending themselves, but there's all sorts of risks and problems involved when you do full database encryption.
Krebs quotes a Marriott statement released this morning: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.
Marriott added that customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.
I don't think the thieves would have worked on this for 4+ years without having gotten the keys and being able to decrypt the card information.
The article goes on to say:
Marriott says its own network does not appear to have been affected by this four-year data breach, and that the investigation only identified unauthorized access to the separate Starwood network.
Starwood hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program.
...
The breach announced today is just the latest in a long string of intrusions involving credit card data stolen from major hotel chains over the past four years — with many chains experiencing multiple breaches. In October 2017, Hyatt Hotels suffered its second card breach in as many years. In July 2017, the Trump Hotel Collection was hit by its third card breach in two years.
https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
VERY clever.
If Starwood had encrypted their entire database, they might have had a better chance of defending themselves, but there's all sorts of risks and problems involved when you do full database encryption.
Krebs quotes a Marriott statement released this morning: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.
Marriott added that customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.
I don't think the thieves would have worked on this for 4+ years without having gotten the keys and being able to decrypt the card information.
The article goes on to say:
Marriott says its own network does not appear to have been affected by this four-year data breach, and that the investigation only identified unauthorized access to the separate Starwood network.
Starwood hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program.
...
The breach announced today is just the latest in a long string of intrusions involving credit card data stolen from major hotel chains over the past four years — with many chains experiencing multiple breaches. In October 2017, Hyatt Hotels suffered its second card breach in as many years. In July 2017, the Trump Hotel Collection was hit by its third card breach in two years.
https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
