Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/4/2019
05:00 PM
50%
50%

Marriott Sheds New Light on Massive Breach

New information on the Starwood breach shows that the overall breach was somewhat smaller than originally announced, but the news for passport holders is worse.

Commenting on a new round of information about the massive data breach that struck Starwood Hotels, Marriott International now says that the breach was somewhat less massive than originally thought, affecting roughly 383 million records rather than the 500 million originally said to have been compromised.

The news about the passport information released is not as good: Marriott has now put a number on the breached passport records, and it's 5.25 million. That's the number of unencrypted passport numbers that were accessed; roughly 20.3 million encrypted numbers were grabbed by the perpetrators, though Marriott says that there is no evidence that the criminals got the key required for unencrypting the files.

Responding to the announcement, Matt Aldridge, senior solutions architect at Webroot, said, "A key question we need to ask is why do hotels need to store passport numbers? One of the biggest impacts of GDPR was that it forced companies to consider the personal data they hold and ask customers for, whether this data was really needed and if so how to properly protect it. This is a great example of too much data being collected and retained."

Marriott says that it will have a mechanism available on its website for guests to check in order to see whether their passport number was accessed; the company promises to update the website and notify the public when the mechanism is running.

For more, read here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John Lenn
50%
50%
John Lenn,
User Rank: Apprentice
1/9/2019 | 5:42:17 AM
5.25 million unencrypted passport numbers

Marriott also believes that about 5.25 million unencrypted passport numbers were included in those records. Approximately 20.3 million encrypted passport numbers were also compromised.

Additionally, approximately 8.6 million encrypted payment cards were involved in the breach, but there is no evidence that the hackers have the mechanism to decrypt those numbers. This was the news that has been disclosed by marriot on november

REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/7/2019 | 1:26:17 PM
Re: Even Dentists?
There is no REQUIREMENT for your number according to Clark Howard in Georgia.  People just assume so and put the numbers in. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/7/2019 | 1:16:29 PM
Required Data
Only harbor data required to perform the business function. As the article denotes there is really no reason for a hotel to keep passport information. If you can minimize the amount of sensitve data stored at the company you won't have to rely on encryption as heavily to be your saving grace.
RSR555
50%
50%
RSR555,
User Rank: Strategist
1/7/2019 | 9:52:50 AM
Re: Even Dentists?
Your medical insurance company will need your SSN and for those covered by your policy for compliance with current law, but medical and/or dental practices should NOT require it from you.  Just politely say No.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/7/2019 | 8:34:12 AM
SSN for medical use
There is a specific purpose involved, not good, and it is for potential malpractice suits. 
Pm4zv
50%
50%
Pm4zv,
User Rank: Apprentice
1/6/2019 | 8:36:49 PM
Even Dentists?
I can remember dental offices and such were using a "standardized" form for new patients, which asked for SSN.  I just ignored it.  But SSN for a dental office?  Sheesh.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: It's the latest version of antivirus.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12607
PUBLISHED: 2020-06-02
An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a us...
CVE-2020-13764
PUBLISHED: 2020-06-02
common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.
CVE-2020-13760
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
CVE-2020-13761
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS.
CVE-2020-13762
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS.