×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Marriott Discloses Missing Data Files

Zonk posted more than 8 years ago | from the i-seem-to-have-misplaced-this-small-item dept.

Privacy 162

An anonymous reader writes "Marriott International has admitted that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company." From the Washington Post story: "Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost. An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

162 comments

why do they have SSNs for customers? (4, Interesting)

rritterson (588983) | more than 8 years ago | (#14376663)

Can anyone tell me why Marriot has the SSNs of Customers?

Time-share owners, maybe, employees definately, but customers? Why?

Re:why do they have SSNs for customers? (4, Funny)

User 956 (568564) | more than 8 years ago | (#14376677)

Time-share owners, maybe, employees definately, but customers? Why?

Look, they're just making sure you don't steal any towels. Towel theft is a big deal.

Re:why do they have SSNs for customers? (2, Funny)

tq_at_sju (218880) | more than 8 years ago | (#14376819)

i got a marriot towel..... i mean i'm kind of a big deal....people know me

Re:why do they have SSNs for customers? (4, Informative)

QuantumG (50515) | more than 8 years ago | (#14376680)

Unless your business model including some sort of recurring billing there is absolutely no justification for storing every digit of a credit card number. The first and last digits are more than enough for data matching purposes.

Re:why do they have SSNs for customers? (3, Informative)

Pampusik (458223) | more than 8 years ago | (#14376688)

I believe this concerns time share loans, in which case a SSN would be required in the credit process.

Re:why do they have SSNs for customers? (3, Interesting)

cayenne8 (626475) | more than 8 years ago | (#14376727)

" I believe this concerns time share loans, in which case a SSN would be required in the credit process."

Well, even if so...why did they keep the numbers? I've run into things where people wanted my SSN....which I pretty much refuse to give to anyone not associated with ssn taxes....but, to get around it...I just give a deposit in lieu of SSN.

Re:why do they have SSNs for customers? (3, Informative)

Pampusik (458223) | more than 8 years ago | (#14376732)

They would need to keep the SSNs to share with their loan servicer(s?) and backup companies.

In most cases, when you take out a loan with somebody, your data is likely being shared with everybody they do business with related to the servicing of the loan... especially if you're a "high risk" customer (e.g., low credit score).

Re:why do they have SSNs for customers? (2, Informative)

HD Webdev (247266) | more than 8 years ago | (#14376881)

Well, even if so...why did they keep the numbers? I've run into things where people wanted my SSN....which I pretty much refuse to give to anyone not associated with ssn taxes....but, to get around it...I just give a deposit in lieu of SSN.

As far as loans, they keep the numbers because if a person defaults on the loan that's the only data they have that's unique to the person who defaulted. For example, if the debt gets sold cheaply to a debt collection agency, the collection agency needs that number to track the person if the person moves somewhere else. "John Jones of 123 Main St. Anytown, USA" isn't very useful if John Jones moves to another state.

Re:why do they have SSNs for customers? (4, Informative)

llefler (184847) | more than 8 years ago | (#14376917)

They need to keep your SSN for tax purposes. Depending on your agreement, the loan to 'buy' your timeshare is considered a mortgage. So they need to report interest to the IRS. Not to mention, a credit agency is going to use your SSN to avoid simple name collisions.

As far as keeping your credit card number, they could be requiring it to cover maintenance fees or it's possible customers are automatically having their loan payments charged to their credit card. I do that with a couple of my monthly expenses so I don't have to write a check. (having both electronic withdrawals and automatic billing to credit cards, I prefer the latter)

While I suppose you can get around these by buying the timeshare outright, and prepaying maintenance fees, most customers do not want to do that.

Re:why do they have SSNs for customers? (2, Informative)

mmclean (29486) | more than 8 years ago | (#14376755)

It is the Time Share division of Marriott, and they are required to have SSN's for those customers for mortgage interest reporting purposes.

Re:why do they have SSNs for customers? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14376765)

Exactly! Why do they keep this shit? And how come they are never held accountable when they do?

It seems to go like this: "Oops we just lost all your personal information (or had it stolen). Sorry." And that's the end for them. And that's the possible beginning of a nightmare for you.

I mean what the fuck? Where is the accountability? If they store that information, they should be held accountable for doing so.

Marriott should, at the least, be fined a LARGE amount ($$ millions) or have some sort of charges brought against them. That goes for anyone else holding my information and disclosing it.

Where the fuck is the outrage at this practice?

Re:why do they have SSNs for customers? (1)

timeOday (582209) | more than 8 years ago | (#14376828)

Can anyone tell me why Marriot has the SSNs of Customers?
What makes you think they do? I've stayed at Marriots and never been asked for my SSN, so I doubt the SSN loss refers to normal customers.

Re:why do they have SSNs for customers? (5, Insightful)

toddbu (748790) | more than 8 years ago | (#14376842)

Can anyone tell me why Marriot has the SSNs of Customers?

I think that you're asking the wrong question here. Shouldn't you be asking "why does it matter if they keep your SSN?" Our whole system of using SSNs to identify people is broken, and if Congress would get off their lazy duffs and fix the problem then maybe it wouldn't matter if someone had my SSN number or not. A simple change to credit reporting laws that would require a second level of verification of the identity of a consumer before granting credit, like what happens when you put a fraud alert on your credit report, would go a long way toward fixing this problem. But those who issue credit are afraid that if you got rid of easy credit then their market would collapse. I'll agree that some people would be inconvenienced by such a system (like those who move around a lot), but it sure would reduce fraud. At the very least, I should have the option of making a fraud alert permanent, and to have complete control over who can view my credit history. Then maybe it wouldn't make such a difference if someone got my personal information.

Re:why do they have SSNs for customers? (2, Insightful)

slick_rick (193080) | more than 8 years ago | (#14376899)

Why stop there? Why does any entity need to hold on to my SSN? Why not just make it illegal to do so? I work with large databases every day (100k+ "souls") and it is insane to me that we keep the SSN for all these people. What a security nightmare/identity thief's dream. I've argued with my boss several times that we should dump the SSN and just keep a few hashes instead (md5/sh1/whatever). He doesn't like that idea for valid reasons (mainly compatibility with other systems that don't know shit about a hashed SSN).

I really wish congress would pass a law stating that no private entity without a federal charter can hold an SSN longer then 30-60 days. I could then share hashed SSNs with various other DBs because they would have to deal with those, or face the legal consequences.

Of course I think all commercial entities should be mandated to purge all customer data after two years as well. Why should Sears keep my SSN on file forever just because I had a credit card with them 10 years ago?

Re:why do they have SSNs for customers? (2, Informative)

HardCase (14757) | more than 8 years ago | (#14376903)

Can anyone tell me why Marriot has the SSNs of Customers?

They probably don't. As the article says, the backup tapes contained credit card numbers and SSNs of workers, time share owners and customers. That reasonably means that they've lost the credit card numbers of time share owners and customers and the SSNs of time share owners and employees.

So they've lost this data, but it seems to me that they're being reactive in a positive way - they've notified the right people in government, they've contacted financial institutions and they've notified their customers, along with issuing a public statement about it.

The article claims that the data requires "special equipment" to retrieve the data - some comfort, I guess, unless that special equipment isn't just a DAT drive and a backup program.

I wouldn't call their measures "proactive", as did the Marriott spokesperson, but the company seems to be reasonably open about it.

-h-

Lost != Stolen (1)

LiquidCoooled (634315) | more than 8 years ago | (#14376665)

We can only hope these tapes have been misplaced or actually lost rather than stolen for the information they contain.

All backups should be done on VERY obscure hardware to reduce the danger of things like this ;)
If the crooks can't read the tapes theres no problem (same goes for strong encryption)

Re:Lost != Stolen (0)

Anonymous Coward | more than 8 years ago | (#14376702)

not really. security through obscurity doesnt work, as demonstrated by microsoft

Re:Lost != Stolen (0)

Anonymous Coward | more than 8 years ago | (#14377044)

not really. security through obscurity doesnt work, as demonstrated by microsoft

Yes, it does, as demonstrated by Linux. Obscuring the source code but having the exact same software on 80% of PCs is not going to work. Running entirely unique code, even if it's buggy and full of holes, will protect you from almost all casual scanning, though not a directed attack.

Re:Lost != Stolen (3, Interesting)

quarkscat (697644) | more than 8 years ago | (#14376718)

Be afraid. Be very afraid.

Considering the time of year, no doubt some Marriott PHB who was looking for some extra X-Mas cash decided to "sell their list". While many companies have absolutely no qualms about selling customer information (AKA creating a new "profit center"),
I am more inclided to believe that the backup tapes were lost or stolen, rather than a conscious effort to create a new corporate profit center.

Then again, John Poindexter's "Total Information Awareness" project (entirely DoD databases) was morphed into "MATRIX", which was designed to make use of multiple commercial (and commercially available) databases. So, perhaps, it was was merely an "extra patriotic" Marriott employee.

Considering recent events in the news (non-FISA approved wiretapping), perhaps one possibility is just as scary as the other...

Re:Lost != Stolen (2)

nolife (233813) | more than 8 years ago | (#14376773)

Security through obscurity in not a reliable form of security. You have to pay for that obscurity by having a one off system that is not supported and you pay through the nose to keep it running reliably in your enterprise. A standard LTO3 backup tape is almost $100, imagine what some specialized tape would cost when your company is the only one buying them.
Basically, you pay a lot of money for some unknown amount of obscurity and reliability that has not been tested by more then a few people. Not cost effective at all when compared to standard equipment coupled with good security practices like accounting, tracking, and encryption. Is there even an enterprise backup system sold in the last few years that does not support some type of encryption?

IT is a cost center, not a revenue generator. Trying to squeeze security hardware, software, or better practices into IT budgets and manpower is a hard and normally plays out some combination of two ways.

Proactive and shot down -
IT managers have a hard time getting others outside of IT to listen to potential issues. This changes rapidly after a breach and IT managers may be replaced.

Coast and milk -
IT managers do not even want to bring up or even know about things like security because doing things the way they have always been has worked so far and makes the technical part of the manager job easier. Why rock the boat? That system was in place when I got here and we've been doing it this way for years and certainly "they" up there no about it so I'll go with the flow. That method of brown nosing and coasting with your other manager peers for a while typcially leads to the unemployment line with a knife in your back after a security breach! As it should IMHO.

Re:Lost != Stolen (2, Funny)

MichaelSmith (789609) | more than 8 years ago | (#14376928)

All backups should be done on VERY obscure hardware

In a previous job we did all our backups on nine track tape. Older backups were impossible to read because the magnetic coating would just stick to the read head.

Nobody was going to steal that data!

Great. (3, Informative)

User 956 (568564) | more than 8 years ago | (#14376667)

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million [cnn.com]. That should stop those crooks!

Re:Great. (3, Insightful)

dc29A (636871) | more than 8 years ago | (#14376683)

Why is the job of Homeland Security to secure the data storage of a random company? Start putting out heavy fines on companies who fail to securely store customer data and the problem will go away. Right now there is no "incentive" for companies to keep personal data stored safely. A little PR can take care of a hack.

Companies need to be held liable for the safety and security of their customer's data. The problem then will go away.

Re:Great. (3, Insightful)

User 956 (568564) | more than 8 years ago | (#14376699)

Companies need to be held liable for the safety and security of their customer's data. The problem then will go away.

I'm hearing you. I think the way the SSN system works with the financial system is horribly inefficient, insecure, and pront to abuse. But you need to cover both ends. Security on the front end, and proper policing on the back end. Cutting the DHS budget certainly isn't going to help-- especially when hundreds of millions are allocated for projects like the bridge to nowhere. [usatoday.com]

Re:Great. (2, Insightful)

gasjews (941147) | more than 8 years ago | (#14376779)

Can we say inefficient and bloated government administration?

I always vote down school tax proposals becuase our local school system has yet to manage to improve the quality of education or teaching while managing to find all sorts of things to spend money on like new toys for the administration to play with, overpriced school complexes (65 million dollars for a school that reasonably holds 3000 at best?), marketing campaigns, etc.

DHS doesn't need more money. They need to be smart. Unfortunately, bureaucracies are just an extension of modern democracy and modern democracies are largely incapable of meaningful consensus or leadership.

Re:Great. (1)

User 956 (568564) | more than 8 years ago | (#14376902)

Unfortunately, bureaucracies are just an extension of modern democracy and modern democracies are largely incapable of meaningful consensus or leadership.

Judging by your website, I'm suddenly not sure a society-wide consensus is a good thing.

Re:Great. (2, Insightful)

Ravatar (891374) | more than 8 years ago | (#14376892)

That won't necessarily eliminate carelessness on the companies' part. If the fine is less than the cost to properly secure the data, nothing will change.

The only group that benefits in this case is the government.

Re:Great. (4, Insightful)

dangitman (862676) | more than 8 years ago | (#14376711)

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million. That should stop those crooks!

Given the lack of competence of DHS, eliminating their funding can only be a good thing. They only seem to make things worse, and haven't really shown any evidence of being effective at doing anything other that waste money and erode civil liberties.

Re:Great. (0)

Anonymous Coward | more than 8 years ago | (#14376908)

And that is why I am no longer a Republican.

Re:Great. (1)

kfg (145172) | more than 8 years ago | (#14376944)

. . .haven't really shown any evidence of being effective at doing anything other that waste money and erode civil liberties.

You say that like you think it's a bad thing.

KFG

Re:Great. (1)

bryan986 (833912) | more than 8 years ago | (#14376962)

Yup and I bet you want another terrorist attack like 9/11. They had all the facts about when the attack was going to happen, but it was to spread out amongst the agencies. Perhaps you should read the 9/11 comission reports and watch a few decent documentaries before making irresponsible comments like that.

Damn right (was:Great.) (1)

Lead Butthead (321013) | more than 8 years ago | (#14376742)

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million. That should stop those crooks!
After all, the ability to monitor at will of all forms of communications between every American resident and "potential terrorists," is FAR more important than such trivial matter as preventing identity thieft or credit fraud. (Yes, I am being sarcastic.)

Re:Great. (4, Informative)

Dhalka226 (559740) | more than 8 years ago | (#14376817)

I'm glad the Department of Homeland Security has had their budget cut to $16 million.

That's misleading. Their RESEARCH budget for CYBERSECURITY is cut to $16 million, and that's only down 7% from last year, which means under $2 million in cuts.

You can argue it should be higher if you wish, but don't make it sound like the entire DHS--or even cybercrime enforcement in general--is funded that sparsely.

Re:Great. (1)

HardCase (14757) | more than 8 years ago | (#14376923)


With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million. That should stop those crooks!


I think that you are mistaken [dhs.gov].

Cyber Security is enhanced in the budget to augment a 24/7 cyber threat watch, warning, and response capability that would identify emerging threats and vulnerabilities and coordinate responses to major cyber security incidents. An increase of $5 million is proposed in the budget for this effort, bringing the program total to $73.3 million.

-h-

Re:Great. (2, Insightful)

Jeff DeMaagd (2015) | more than 8 years ago | (#14376948)

With $105 billion in this type of crime in 2005, I'm glad the Department of Homeland Security has had their budget cut to $16 million.

Is this a real budget cut, or a cut in projected increases?

Government budget cuts are the most preposterous lies I've seen in a long time. Say the next year's budget is slated to increase 8%. Let's just say that increase is reduced to 4%. Politicians, pundits and media people can then claim (or complain of) a 4% cut, despite that in reality, it was still an increase, the cut was from an imaginary budget that was never enacted. I wish my pay suffered a government budget cut.

Woo Hoo! (1)

brentyl2 (877919) | more than 8 years ago | (#14376669)

8th post! On a more serious note, even if this data was lost through no fault of Marriott's (stolen, say), I think this points out the need to legislate a consumer notification requirement. If there is a reasonable chance that my name and info are on one of those tapes, I think Marriot has the obligation to let me know. They will never do so without being compelled.

Re:Woo Hoo! (0)

Anonymous Coward | more than 8 years ago | (#14376746)

My personal information was on the missing tapes and Marriott did send me a notification letter my snail mail and extended identity theft insurance free of charge. Marriott did the right thing in this case. Kudos for the notification. I'm hoping that their physical security will be improved because of this.

Re:Woo Hoo! (1)

ScottCooperDotNet (929575) | more than 8 years ago | (#14376833)

even if this data was lost through no fault of Marriott's (stolen, say)

In that case the company has some responsibility; cutting corners on data security is something no shareholder should allow.

Re:Woo Hoo! (1)

MichaelSmith (789609) | more than 8 years ago | (#14376943)

need to legislate a consumer notification requirement.

How about a law requiring them to pay for the losses they have caused?. Doing that might make companies think twice before retaining data on their customers.

I know it is busy during the holidays, but... (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14376670)

Mid November? I think some people would have wanted to know sooner. Why are we just now finding out about this?

Identify theft a fad? (1)

cloudkj (685320) | more than 8 years ago | (#14376675)

Anyone notice the curious increasing trend of identity theft related data leaks in the past year or so? It's as if all this data were exposed overnight, leading to massive potential security breaches. I think it's more a result of media sensationalism. But that's not to say that these identiy theft problems don't exist; rather, that they've been here all along.

Re:Identify theft a fad? (4, Interesting)

MaineCoon (12585) | more than 8 years ago | (#14376690)

Back in ancient days (pre-500 AD for example), it was not a rare thing for vaguely look-alike, or not even look-alike people, to claim to be someone famous/important in a village or town where nobody could invalidate the claim (or those who would validate it were being duped or willing participants).

This is a quite old crime. The difference is that now identity theft of everyday people can be lucrative, and you don't even need to look like them or deal with tricking others. And you don't have to worry about being lynched or stoned, just going to jail.

Re:Identify theft a fad? (1, Informative)

Anonymous Coward | more than 8 years ago | (#14376697)

The reason you're now hearing about is because states (California and others) have begun passing laws requiring companies to disclose these types of events.

Oh thank you thank you thank you! (4, Funny)

rleesBSD (909405) | more than 8 years ago | (#14376686)

Now wifey will never know.

Re:Oh thank you thank you thank you! (0)

Anonymous Coward | more than 8 years ago | (#14376780)

Now wifey will never know.

Luckily for wifey only a set of backup tapes were lost. RTFA you cheating bastard!

Macs (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14376695)

This is a serious comment, i am only doing this as an AC to avoid being modded +5 funny, -7 flamebait. Why do people on slashdot not mind macs, and yet act like microsoft is the devil (which it, obviously is). Apple's Macintosh is not only just as a proprietary piece of crap as Windows, but it also forces you to purchase their HARDWARE if you want to use it the "legit" way (though this may change with mactels, they have been operating this way for years). In my opinion, each of the two companies is, after all considerations THE WORST FUCKING THING TO EVER HAPPEN TO COMPUTING.

This kind of thing keeps happening... (3, Insightful)

dlaur (135032) | more than 8 years ago | (#14376703)

Let me ask a simple question: Why don't they encrypt this stuff?

Re:This kind of thing keeps happening... (1)

andrewski (113600) | more than 8 years ago | (#14376738)

Maybe because their partners in organized crime would find it tougher to use the tapes?

But more likely it's just sheer laziness combined with a lack of government mandated punishment for such leaks. If Uncle Sam started fining companies $25,000 for each item of sensitive leaked information, I think that these leaks would stop instantly.

Re:This kind of thing keeps happening... (3, Insightful)

HermanAB (661181) | more than 8 years ago | (#14376848)

No, only the *reporting* of leaks will stop instantly...

Re:This kind of thing keeps happening... (1)

omirix (819581) | more than 8 years ago | (#14376849)

I'm sure they do. It doesn't state anywhere the data is unencrypted.

Re:This kind of thing keeps happening... (1)

Bishop (4500) | more than 8 years ago | (#14376894)

Encryption is not always the answer. A single block error could render an entire encrypted archive useless. There is also the problem of managing the encryption keys. Security is about more then just denying access to data. Ensuring access to data is an aspect of data security that is just as important.

Re:This kind of thing keeps happening... (2, Informative)

Anonymous Coward | more than 8 years ago | (#14376977)

> A single block error could render an entire encrypted archive useless.

Huh? Where in the world did you come-up with that?

That would only be true if your encryption uses CBC (Cipher Block Chaining) mode. That's where you XOR each block with the ciphertext of the previous block. An error in one block affects that block and every subsequent block like you describe.

When you use ECB (Electronic Code Book), the regular DES algorithm, you encrypt each 64-bit block independently. Errors only affect the data in the block containing the error. This is the faster and easier to implement than CBC mode so it's what a lot of products use.

I've seen a couple of companies play around with using encryption on their backups, but they stopped for the same reason I've seen more intentionally not use it. You don't want to pull-out a tape from a library and not be able to read it. Do you really want to keep-up with a list of passwords for a decade or more? Would you want to be the IT director someone that has to tell a CEO that the $250k you've spent on backup tapes and storage costs was for naught since you can't read the tape? I saw a CTO fired for exactly that.

Of course since I'm responding to a register user, I'll be marked as a troll or flamebait so this response will never be read. I don't know why I bother posting on this cesspool. Posts like the one I'm replying to that are just plain wrong are given points, but the best posts are given -1's if they're from people that aren't logged-in.

Hats off to Marriott (2, Insightful)

TheFlyingGoat (161967) | more than 8 years ago | (#14376728)

Many companies out there wouldn't even know if their tapes had been misplaced or lost. At 3 companies I've worked for, we've had tapes lying around in managers' offices and server rooms, many that contain information that could be used for identity theft.

Marriott has handled this correctly and deserves some credit for doing so. At least they're not trying to cover it up like some companies would.

Re:Hats off to Marriott (4, Informative)

humphrm (18130) | more than 8 years ago | (#14376812)

Umm, I hate to say it, but a tape missing since last November constitutes a cover-up. Marriott only came out and admitted to the loss because their internal investigation turned up nothing.

ABN Amro lost a tape with my data on it. The news was out that week. DHL found it, and even though the news agencies didn't cover it much, I got a follow-up letter from ABN Amro AND they extended the free credit tracking service from 3 months to 1 year.

Marriott on the other hand waited over a month before they even notified the Secret Service, for crying out loud.

No kudos to Marriott for this one. They're lucky that their month-long cover-up isn't criminal (yet).

fraud monitoring (4, Insightful)

spoonyfork (23307) | more than 8 years ago | (#14376730)

I'm glad to read Marriot is offering credit fraud monitoring to the affected people like how Ford offered to its employees when they recently lost 70,000 employee/retiree SSNs. [freep.com] Unless it is lifetime monitoring I fail to see the long term value.

Wait a second, why don't the credit bureaus offer free lifetime credit fraud monitoring to everyone in the first place?

Re:fraud monitoring (1)

Dhalka226 (559740) | more than 8 years ago | (#14376804)

Wait a second, why don't the credit bureaus offer free lifetime credit fraud monitoring to everyone in the first place?

Because they are not not-for-profit's?

Re:fraud monitoring (2)

vorok (718954) | more than 8 years ago | (#14376854)

Wait a second, why don't the credit bureaus offer free lifetime credit fraud monitoring to everyone in the first place?
I hate to state the obvious, but why offer a service which invariably takes up some form of resources, if not they are not receiving some benefit for it? Because they do offer it, just not for free. Not to say that they shouldn't, I think that especially with computers the amount of money that it would cost them would be more than made up for if they offered it for "free", but they don't see it that way, and never will. As long as they can make money off those who think it is worthwhile to buy, they will continue to charge.

They offer self-service (2)

lorcha (464930) | more than 8 years ago | (#14376966)

They don't do free monitoring, but if you're willing to do the legwork of monitoring yourself, you can monitor your credit file yourself, free of charge. clicky [annualcreditreport.com]

It seems they have taken the appropriate steps! (0)

Anonymous Coward | more than 8 years ago | (#14376734)

After all has been said and done, it honestly appears that Marriott International has taken the appropriate steps in this situation: they performed an internal search, then notified not only the authorities but also credit institutions. This helps to mitigate any misuse of this information as quickly as possible. They even did this before making it public, so that as much progress in discovering what has actually happened could occur before everyone (possibly including the perpetraitors) was aware.

Kudos to a company not ignoring problems but handling them directly!

Relax (0)

Anonymous Coward | more than 8 years ago | (#14376735)

Why worry about government spying when corporations can simply bungle your personal info out into the wild? (Bunge in the jungle, if you will).

This is why... (1, Funny)

Anonymous Coward | more than 8 years ago | (#14376744)

This is exactly the reason why we never make backups. What does not exist, cannot be stolen :)

This just in (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14376751)

My girlfriend peed. Please post on slashdot about it.

*note: post must be fictional due to reference of a girlfriend. slashdotters do not have girlfriends. QED.

Secret Service? (2, Funny)

moosesocks (264553) | more than 8 years ago | (#14376760)

Forgive me for being uninformed, but why would the Secret Service be the agency responsible for investigating this type of incident?

Unless Valerie Plame had a timeshare.....

Re:Secret Service? (2, Informative)

rritterson (588983) | more than 8 years ago | (#14376784)

The Secret Service also serves as the branch of law enforcement that investigates financial fraud and counterfeiting. From The Secret Service web page [secretservice.gov]:

"The Secret Service also investigates violations of laws relating to counterfeiting of obligations and securities of the United States; financial crimes that include, but are not limited to, access device fraud, financial institution fraud, identity theft, computer fraud; and computer-based attacks on our nation's financial, banking, and telecommunications infrastructure."

Re:Secret Service? (1)

hrvatska (790627) | more than 8 years ago | (#14376794)

From http://www.secretservice.gov/mission.shtml/ [secretservice.gov]:

The Secret Service also investigates violations of laws relating to counterfeiting of obligations and securities of the United States; financial crimes that include, but are not limited to, access device fraud, financial institution fraud, identity theft, computer fraud; and computer-based attacks on our nation's financial, banking, and telecommunications infrastructure.

Re:Secret Service? (1)

ctr2sprt (574731) | more than 8 years ago | (#14376816)

The Secret Service is part of Treasury. They also deal with things like counterfeiting rings. As Treasury is going to be involved in large-scale financial fraud investigation, and Secret Service is an enforcement arm of Treasury, this makes sense to me.

It all seems like stuff the FBI ought to be doing, but I think that's mainly an artifact of how crime has changed. Federal law enforcement was originally designed to go after the mob, and you get the mob by following the money. So it makes sense for Treasury to handle that, and so they got the Secret Service. (Think Elliot Ness in The Untouchables.) But as the mob dwindled in significance, or perhaps as other interstate crimes became more significant, the FBI, which was a more general-purpose agency, became dominant. Now just about anything can fall under the FBI's purview. So I'm sure Treasury will jealously guard any area where it can claim authority or Secret Service will become what everyone already thinks it is: nondescript guys with earbuds and suits who hang out with the President all day. Well, nondescript guys who can somehow conceal assault rifles under their suit coats.

Or maybe, what with the name and all, they're happy about the relative anonymity.

Re:Secret Service? (1)

bloo9298 (258454) | more than 8 years ago | (#14376823)

Their mission [secretservice.gov] includes:

The Secret Service also investigates violations of laws relating to counterfeiting of obligations and securities of the United States; financial crimes that include, but are not limited to, access device fraud, financial institution fraud, identity theft, computer fraud; and computer-based attacks on our nation's financial, banking, and telecommunications infrastructure.

Conspiracy (1)

kevin_conaway (585204) | more than 8 years ago | (#14376769)

I read about this in the post almost a week ago. Its finally posted to slashdot on a Sunday, and a "holiday" Sunday at that.

Discuss.

</Linda Richman>

That's nothing... (5, Informative)

Anonymous Coward | more than 8 years ago | (#14376775)

AC for obvious reasons...

I work the front desk at a competing 4-star hotel chain. I work the night shift ($10/hr to sit there babysitting the desk and reading/fiddling on my laptop, great job for students ;-)). Anyway, the first day, FIRST DAY! I was working there I had access to all the back-up tapes for the past month with every guests name, address, phone number, what government agency/corporation they work for, and CC#'s/expiration dates. The tapes are all sitting in a filing cabinet in the front office.

So many people touch the tapes, front desk staff/accounting/reservations/IT, that if one went missing it would be impossible to track back to an individual. What's more, if I just picked up my own tape and made a dupe at night in 35 minutes while I'm there alone nobody would ever know.

This is a 400 room hotel in a major U.S. city, access to literally tens of thousands of names, addresses and associating credit card numbers, all for filling out a standard job application that I may or may not have filled out accurately. Unbelievable.

Re:That's nothing... (1)

MichaelSmith (789609) | more than 8 years ago | (#14376961)

This is a 400 room hotel in a major U.S. city, access to literally tens of thousands of names, addresses and associating credit card numbers, all for filling out a standard job application that I may or may not have filled out accurately. Unbelievable.

After my wife and I returned from Malaysia in 2004 we started seeing charges on her credit card from resorts and shops in Japan. It took months to get our bank to accept that these charges were not legitimate.

I have no problem believing your story.

I am REALLY starting to think (4, Insightful)

ScrewMaster (602015) | more than 8 years ago | (#14376795)

that if these large corporations can't be trusted to play with their computers safely, maybe they should have them taken away. At the very least, I think some adult supervision should be required by law. And if that doesn't work, send them back to using typewriters and filing cabinets.

Some private data loss statistics (4, Insightful)

michaelaiello (841620) | more than 8 years ago | (#14376815)

Lists of incidents

A report (with pretty graphs) from a recent financial engineering class. Data was from Feb to Sep 2005...
The 83 recorded loss events were categorized by loss event type and by industry sector. The data is relevant over 232 days. This yields a probability of a loss event occurring in any sector on any given day 35.7%. If only events affecting financial services institutions are counted, the probability is 7.5%.

http://privacydata.michaelaiello.com/paper.pdf [michaelaiello.com]

Bring forth the math corrections

I don't know... (2, Insightful)

Chabil Ha' (875116) | more than 8 years ago | (#14376822)

and maybe I'm just ignorant, but WHY DON'T THEY ENCRYPT ALL THAT INFORMATION WHEN IT LEAVES THE MAIN DATA WAREHOUSE? It seems to me that by encrypting its contents, you put some security around it should it be lost/stolen/etc. Can anyone explain why this isn't done?

Re:I don't know... (1)

Detritus (11846) | more than 8 years ago | (#14376884)

  • It's additional work to generate and manage keys.
  • It burns CPU cycles and may slow down a backup process that is already too slow.
  • The backup software may not support it.
  • Lack of funding or interest by management.
  • No security policy.

Re:I don't know... (1)

HD Webdev (247266) | more than 8 years ago | (#14376911)

and maybe I'm just ignorant, but WHY DON'T THEY ENCRYPT ALL THAT INFORMATION WHEN IT LEAVES THE MAIN DATA WAREHOUSE? It seems to me that by encrypting its contents, you put some security around it should it be lost/stolen/etc. Can anyone explain why this isn't done?

If you encrypt a database backup and there is an error on the tape, the backup could easily be useless.

For this same reason, many Linux users still do not compress backups of their data. Even though there is media these days that is much more reliable than tape, one scratch on a burned DVD can easily make the DVD useless.

Re:I don't know... (2, Informative)

Vellmont (569020) | more than 8 years ago | (#14376959)


If you encrypt a database backup and there is an error on the tape, the backup could easily be useless.

Only under certain modes of block cyphers. If you use an electronic code book mode of a block cipher you only lose the block with the error on it. It's not as secure of course, but it's a lot better than nothing.

Re:I don't know... (1)

Vellmont (569020) | more than 8 years ago | (#14376915)

There's no technical reason why they don't do it. The short answer is that the companies are too cheap and short sighted to do it. Changing their data backup system to have the proper key management to assure both data security, and recoverability would cost money. Big companies like these are often run by bean counters who don't understand the risk. After a few more of these very public losses, maybe they'll start listening to the security guys in the company.

Who'da thunk it? (1)

Paraplex (786149) | more than 8 years ago | (#14376829)

Data retained falls into the wrong hands. Lets all sit around silently twiddling our thumbs until that data stops being your financial and residency data and starts being your movement data [slashdot.org]

Hooray for data retention

Other possibilities (1)

HermanAB (661181) | more than 8 years ago | (#14376860)

1. The tape monkey didn't make the backups in the first place and tried to cover his ass by reporting them stolen. 2. The tape monkey re-used the tapes for another backup session. 3. The janitor stole the tapes thinking that it may be a porn movie. 4. The CFO took the tapes to hide a case of insider trading. 5. The CEO took the tapes thinking that they are from the security cameras and he didn't want a trist exposed. 6. ???

Re:Other possibilities (1)

llefler (184847) | more than 8 years ago | (#14376978)

6. they are misfiled in a million tape library.
7. the boxes were improperly labeled when they were sent to offsite storage and are misfiled.
8. they were accidentally destroyed with other old tapes.
9. the tapes were mislabeled. (internal label doesn't match physical label)

BTW, that's Tape Ape. You're confusing that with Code Monkey.

206K dupes (1)

geneing (756949) | more than 8 years ago | (#14376870)

AFAIK timeshares have pretty bad reputation because of the shady methods of selling them. So, many people who had their identity stolen may have already been (perfectly legally) swindled.

Not surprising at all (1)

IntelliAdmin (941633) | more than 8 years ago | (#14376876)

It is amazing the number of companies I have done consultation for where the person that is responsible for the tapes has no idea how much information is on them. I have heard of people leaving them in their car unlocked over the weekend, or while they shop. Not to mention the fact that extreme heat, and cold can destroy the things...anyone could come along and steal them.

The Marriot case study (1)

stimpleton (732392) | more than 8 years ago | (#14376885)

Some years back when at University, we did a case study on an IT project that Marriott did in partnership with Rental car agencies - a booking system tie in.

It was terribly over budget, and delayed a long time.

A significant factor was the project manager lieing about timeline milestones and being within budget.

Later, once it was too late, a report slammed marriot for not reviewing the project reports, which stated time and time again that "all is well". Marriott had next to no QC or risk analysis. They allowed it to be a free wheeling disaster.

No particular point to this, but reading "Marriott" bought back memories.

copyright (0)

Anonymous Coward | more than 8 years ago | (#14376890)

copyright all your personal information. There's more but that is one way to go about it.

Inform anyone who has YOUR information that it is YOURS, not theirs, and it is only authorized for them to use it for the one initial transaction you had with them, one time when you do business with them, then they must delete it or alter it so it isn't complete, leaving only enough to match with some other records for further transactions. Tell them quite clearly that it isn't theirs to trade, sell, store, transfer, etc.

If they lose it, abuse it, sell it, swap it, etc, sue them see:**AA type action

Use the jerkoffs laws and regulations right back at them. Don't let corporations buffalo you, they are moribund pussies in reality, the bigger they are the more they won't want to deal with one hardass case and you'll get what you want.

It's time people got proactive with THEIR DATA, it is not these bunghole companies data afterall, you have just failed to protect your data because no one told you that it was your data. THAT'S why these various companies don't give a care about your stuff, because you've de-balled yourself in front of their business smoke and mirrors leetness, due to universal consumer brainwashing and learning to be a good corporate serf under the United Snakes of AmeriKKKa pseudo rules. They only tell you enough to be a slave and THAT'S IT. That's why you have to take it without any K-Y all the time, you agreed to be a slave by default while you were busy elsewhere with your manga and football and bittorrented tunes and other bread and circuses action they throw over the fence at you to keep you amused when they aren't working you.

If YOUR data gets compromised it is YOUR fault. If you "trust" your data to a group of buffoons, are you surprised when buffoonery occurs?

When joe shopkeep wants my data, especially SSN, I say NO, tell them why, tell them that SSN is only for government tax/social security account purposes, and if they aren't in the government tax/social security account business it is none of their business. I have yet to be refused service, although most of the time I have to rant my way upstream several layers to get past the poor clerk. It becomes fun sometimes....

Don't be afraid of this barely skilled job called "the law", the lawyers guild is another almost total scam industry that seeks to keep knowledge obscured and obfuscated. The deal is, the big secret they don't want you to know, is that it isn't closed source. You got the code, just use it. Everything you need to find out or know is available. It's just WORDS, that's all, words, and which official form to use. Nothing all that special, not hard to learn what you need to conduct your business if you just chop it down to size and take it step by step. To be a specialist, sure, it can be hard, but for specific purposes, just look it up! You have the net, it used to be harder, but today it is easy. If you can spend the time and skull sweat to learn some totally lame childish videogame, you are smart enough and can learn enough law to help yourself immensely. If you can set up a linux network, you can learn some law. If you can admin samba or apache, you can learn some law, it's actually easier.

Now I expect some "professional" lawyer FUD. thwaaappppppTT! Come back when you are a plumber or master carpenter, when you have a real skill, then I'll be impressed.

Can't do it. Wouldn't be prudent. (1)

Chmcginn (201645) | more than 8 years ago | (#14377061)

copyright all your personal information.
There's plenty of other points (including the endless lawyer-bashing) I could pick apart, but I'll start with this one. I'm assuming you're in the US, cause you're talking about social security numbers. Well, at least in this country, you can't copyright a fact [wikipedia.org], or even a collection of facts (although you can copyright the arrangement of them, provided it's not an obvious one.)

And, no, you can't copyright your name [templetons.com] either.

And before you start ranting, no, I'm not a lawyer, I'm actually an electrician. (My sister is a lawyer, though, and was recently involved in a case where the plaintiff attempted to copyright his name & address, and then sue her employers for copyright infringement.)

Bah (1)

ddx Christ (907967) | more than 8 years ago | (#14376897)

This shouldn't be happening. Recently, all of my parents' information was "lost" as well. Not by Marriott, but by my the mortgage company. Apparently, it was with the courier and then *gone*. Yeah. The best they could do was offer some tips to avoid _future_ identity theft.

What if? (1)

Quirk (36086) | more than 8 years ago | (#14376913)

What if this stuff falls into the wrong hands? There's only a little flippancy built into the preceeding question. Very few criminals are intelligent or innovative. Most survive by a code of silence and a threat of violence. While still an undergraduate in Toronto I foolishly took a night job as a doorman/bouncer in a downtown club that had as a clientelle "made guys" in the Vagas knockoff bar upstairs and a well known motorcycle gang as patrons of the bar downstairs. At the time I wanted to be a writer and thought I needed street smarts. I got to know whores, pimps, and assorted "organized crime" guys. All but one were pretty much just people with no where else to go and no way to get out of where they were. Only one would have been able to have made good use of large identity theft.

Identity theft is a growth industry. The demands by government for ever increasing rights to track its citizens coupled to the fetish corporations have for tracking their customers are just now providing the means for massive, efficient criminal use of stolen identities.

There are now criminal organizations that are eagerly recruiting IT people and when the mix is right my guess is we'll see some staggering criminal activity.

Old (1)

OrGoN3 (884347) | more than 8 years ago | (#14376919)

This was in the papers LAST WEEK. To add to this, by law they have to notify every person that potentially has their identity stolen. Marriott has yet to do this.

Possible salvation is obscure database (1, Informative)

Anonymous Coward | more than 8 years ago | (#14376920)

Someone mentioned obscurity through hardware regarding backups.

I'm about 95% sure that this group of Marriott is running the D3 database (formerly known as The Pick System, O/S, etc.) It's been a few years since I have spoken with them, but they used to be my client.

D3 in and of itself would provide some level of obscurity, as the "Pick" data format is unique, with embedded metacharacters to delimit it's "Multi-value" item (record) structure, plus, a unique storage method for tape archives.

The possible bad news is that Pick data structures are all ASCII, including it's tape backups, unless Marriott had saved these as "binary backups", which would then only be useful for restoration on the exact same machine configuration from which it was saved. So it's likely these are in what is known as "file-save" tapes.

And there is no intrinsic encryption available in D3, so that is off the table.

So, someone with malicious intent who got their hands on these would have to either know D3 or be able to read blocks off the tapes and try to noodle out how to extract the data to make any use of it.

Or, they could just cheap version of D3 and restore the tapes, then have a data orgy with D3's terrific inherent natural language reporting.

This is why ... (1)

operagost (62405) | more than 8 years ago | (#14376925)

My company's credit union clients are being encouraged by both us and the NCUA to encrypt their tape backups. Our software runs on OpenVMS and we are reselling HP's Encryption software and training the CUs to use it. Their data can thus be reasonably well secured when exposed enroute to their offsite storage or to us for their disaster recovery testing. Unfortunately, some of our clients use third parties as their DR and some of them, despite their huge size and supposedly sophisticated facilities, can't seem to support this encryption product although it is now included with OpenVMS 8.2.

Much more common than you think (1)

greg_barton (5551) | more than 8 years ago | (#14377038)

In one of my first jobs as a programmer my first assignment was to go to a local ISP and help them restructure their customer database. So on my first day I ask the lead programmer to give me the DB structure. End of the day comes and he hands me a disk. I get back to the office and find that it contains the ENTIRE DATABSE: ~100,000 names, addresses, CC numbers, and SSN's. (After that we did an extensive security audit of their software...)

All backup software should encrypt the backups. (1)

Futurepower(R) (558542) | more than 8 years ago | (#14377052)

All backup software should encrypt the backups. Unfortunately, backup software is still very primitive.

Backup software should also automatically do a compare and determine if the backup is actually usable. In about 5% of our tests, Acronis TrueImage software, for example, has made a backup that it won't read.

It's simple enough to solve Marriot's problem. Pass a law that anyone storing more than 100 credit card numbers must use encryption. Provide cross-platform open source backup software that meets the requirements of the law. The law should provide guidance concerning the keeping of the passwords.

Re:All backup software should encrypt the backups. (1)

Chmcginn (201645) | more than 8 years ago | (#14377070)

It's simple enough to solve Marriot's problem. Pass a law that anyone storing more than 100 credit card numbers must use encryption.

I find it pretty entertaining how the same group of people (not necessarily you in person) who bitches about so many unnecessary laws, like, say, something from Indiana, starts proposing new laws whenever their personal issue is messed with.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...