Snippet: Marriott Hacking Exposes Data of Up to 500 Million Guests ☇

Nicole Perlroth, Amie Tsang, and Adam Satariano for The New York Times:

The hotel chain asked guests checking in for a treasure trove of personal information: credit cards, addresses and sometimes passport numbers. On Friday, consumers learned the risk. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the personal data of up to 500 million guests. […]

The breach hit customers who made reservations for the Marriott-owned Starwood hotel brands from 2014 to September 2018. The properties include Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Element and the Luxury Collection. […]

The names, addresses, phone numbers, birth dates, email addresses and encrypted credit card details of hotel customers were stolen. The travel histories and passport numbers of a smaller group of guests were also taken.

It’s unfortunate that Marriott is left to clean up the mess from pre-merger Starwood, but I’m surprised nothing was caught during the due-diligence during the merger process. Outside of maybe recording the bare minimum about stays to a loyalty program, there’s no reason hotel data should be kept longer than absolutely necessary.

Furthermore, until there’s sizeable penalties for these data breaches, companies have no incentive to take preventative steps. Target? Nobody stopped shopping there. Anthem? Employers didn’t switch to other insurers in droves. Equifax? Things are essentially the same for them as it was before the breach. The only exception would be Yahoo, but it was already a sinking ship before the data breach.