Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/4/2019
05:00 PM
50%
50%

Marriott Sheds New Light on Massive Breach

New information on the Starwood breach shows that the overall breach was somewhat smaller than originally announced, but the news for passport holders is worse.

Commenting on a new round of information about the massive data breach that struck Starwood Hotels, Marriott International now says that the breach was somewhat less massive than originally thought, affecting roughly 383 million records rather than the 500 million originally said to have been compromised.

The news about the passport information released is not as good: Marriott has now put a number on the breached passport records, and it's 5.25 million. That's the number of unencrypted passport numbers that were accessed; roughly 20.3 million encrypted numbers were grabbed by the perpetrators, though Marriott says that there is no evidence that the criminals got the key required for unencrypting the files.

Responding to the announcement, Matt Aldridge, senior solutions architect at Webroot, said, "A key question we need to ask is why do hotels need to store passport numbers? One of the biggest impacts of GDPR was that it forced companies to consider the personal data they hold and ask customers for, whether this data was really needed and if so how to properly protect it. This is a great example of too much data being collected and retained."

Marriott says that it will have a mechanism available on its website for guests to check in order to see whether their passport number was accessed; the company promises to update the website and notify the public when the mechanism is running.

For more, read here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John Lenn
50%
50%
John Lenn,
User Rank: Apprentice
1/9/2019 | 5:42:17 AM
5.25 million unencrypted passport numbers

Marriott also believes that about 5.25 million unencrypted passport numbers were included in those records. Approximately 20.3 million encrypted passport numbers were also compromised.

Additionally, approximately 8.6 million encrypted payment cards were involved in the breach, but there is no evidence that the hackers have the mechanism to decrypt those numbers. This was the news that has been disclosed by marriot on november

REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/7/2019 | 1:26:17 PM
Re: Even Dentists?
There is no REQUIREMENT for your number according to Clark Howard in Georgia.  People just assume so and put the numbers in. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/7/2019 | 1:16:29 PM
Required Data
Only harbor data required to perform the business function. As the article denotes there is really no reason for a hotel to keep passport information. If you can minimize the amount of sensitve data stored at the company you won't have to rely on encryption as heavily to be your saving grace.
RSR555
50%
50%
RSR555,
User Rank: Strategist
1/7/2019 | 9:52:50 AM
Re: Even Dentists?
Your medical insurance company will need your SSN and for those covered by your policy for compliance with current law, but medical and/or dental practices should NOT require it from you.  Just politely say No.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/7/2019 | 8:34:12 AM
SSN for medical use
There is a specific purpose involved, not good, and it is for potential malpractice suits. 
Pm4zv
50%
50%
Pm4zv,
User Rank: Apprentice
1/6/2019 | 8:36:49 PM
Even Dentists?
I can remember dental offices and such were using a "standardized" form for new patients, which asked for SSN.  I just ignored it.  But SSN for a dental office?  Sheesh.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.