Month: December 2018

The data stolen from the Marriott hotel empire in a massive breach is so rich and specific it could be used for espionage, identity theft, reputation attacks and even home burglaries, security experts say.

Hackers stole data on as many as 500 million guests of former Starwood chain properties over four years including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.

It is one of the biggest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.

Especially sensitive data

But the target here — hotels where high-stakes business deals, romantic trysts and espionage are daily currency — makes the data gathered especially sensitive.

Jesse Varsalone, a University of Maryland cybersecurity expert, said the affected reservation system could be extremely enticing to nation-state spies interested in the travels of military and senior government officials.

“There are just so many things you can extrapolate from people staying at hotels,” Varsalone said.

And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn’t be home, said Scott Grissom of LegalShield, a provider of legal services.

Starwood brand hotels

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.

Email notifications for those who may have been affected begin rolling out Friday and the full scope of the breach was not immediately clear.

Marriott was trying to determine if the purloined records included duplicates, such as a single person staying multiple times.

Breach undetected for a while

Security analysts were especially alarmed to learn of the breach’s undetected longevity. Marriott said it first detected it Sept. 8 but was unable to determine until last week what data had possibly been exposed because the thieves used encryption to remove it in order to avoid detection.

Marriott said it did not yet know how many credit card numbers might have been stolen. A spokeswoman said Saturday that it was not yet able to respond to questions such as whether the intrusion and data theft was committed by a single or multiple groups.

Cybersecurity expert Andrei Barysevich of Recorded Future said Saturday he believed the breach was financially motivated.

The cybercrime gang expert in credit card theft such as the eastern European group known as Fin7 could be a suspect, he said, noting that a dark web credit card vendor recently announced that 2.6 million cards stolen from an unnamed hotel chain would soon be available to the online criminal underworld.

“We will have to wait until an official forensic report, although, Marriott may never share their findings openly,” he said.

Marriott said the stolen credit card information was encrypted but the hackers may have obtained the “two components needed to decrypt the payment card numbers.” It said it cannot “rule out the possibility that both were taken.”

Privacy laws

For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.

The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.

Marriott set up a website and call center for customers who believe they are at risk.

The FBI said anyone contacted by Marriott should “take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.”

Passport numbers have previously been part of a hack, though it’s not common. They were among records on 9.4 million passengers of Hong Kong-based airline Cathay Pacific obtained in a breach announced in October.

Combined with names, addresses and other personal information, passport numbers are a greater concern than stolen credit card numbers because thieves could use them to open fraudulent accounts, said analyst Ted Rossman of CreditCards.com.

Hotels long a source of information

The data purloining highlights just how dangerous hotels can be for people worried about their privacy.

“Hotels have long been important government sources of local information for tracking foreigners: reservation systems and loyalty programs took the surveillance global and made it easier for us to give up our privacy,” said Colin Bastable, CEO of Lucy Security.

Intelligence agencies including the U.S. National Security are well plugged into the global travel industry “by fair means or foul,” he said, nongovernment cybercriminals now have the same hacking tools.

“Consumers have become collateral damage,” he said. “And we are all consumers.” He advises providing hotels with as little information as possible when making reservations and checking in.

Last year, the cybersecurity firm FireEye highlighted an effort in which Russian state agents allegedly tried to infiltrate the reservation systems of hotels in Europe and the Middle East.

21 million Starwood program members

When its acquisition by Marriott was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it was too early to say what financial impact the breach might have on the company. It said it has cyber insurance and is working with its carriers to assess coverage.

Elected officials were quick to call for action.

The New York attorney general opened an investigation.

Virginia Sen. Mark Warner said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers “shoulder the burden and harms resulting from these lapses.”
…

The data stolen from the Marriott hotel empire in a massive breach is so rich and specific it could be used for espionage, identity theft, reputation attacks and even home burglaries, security experts say.

Hackers stole data on as many as 500 million guests of former Starwood chain properties over four years including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.

It is one of the biggest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.

Especially sensitive data

But the target here — hotels where high-stakes business deals, romantic trysts and espionage are daily currency — makes the data gathered especially sensitive.

Jesse Varsalone, a University of Maryland cybersecurity expert, said the affected reservation system could be extremely enticing to nation-state spies interested in the travels of military and senior government officials.

“There are just so many things you can extrapolate from people staying at hotels,” Varsalone said.

And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn’t be home, said Scott Grissom of LegalShield, a provider of legal services.

Starwood brand hotels

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.

Email notifications for those who may have been affected begin rolling out Friday and the full scope of the breach was not immediately clear.

Marriott was trying to determine if the purloined records included duplicates, such as a single person staying multiple times.

Breach undetected for a while

Security analysts were especially alarmed to learn of the breach’s undetected longevity. Marriott said it first detected it Sept. 8 but was unable to determine until last week what data had possibly been exposed because the thieves used encryption to remove it in order to avoid detection.

Marriott said it did not yet know how many credit card numbers might have been stolen. A spokeswoman said Saturday that it was not yet able to respond to questions such as whether the intrusion and data theft was committed by a single or multiple groups.

Cybersecurity expert Andrei Barysevich of Recorded Future said Saturday he believed the breach was financially motivated.

The cybercrime gang expert in credit card theft such as the eastern European group known as Fin7 could be a suspect, he said, noting that a dark web credit card vendor recently announced that 2.6 million cards stolen from an unnamed hotel chain would soon be available to the online criminal underworld.

“We will have to wait until an official forensic report, although, Marriott may never share their findings openly,” he said.

Marriott said the stolen credit card information was encrypted but the hackers may have obtained the “two components needed to decrypt the payment card numbers.” It said it cannot “rule out the possibility that both were taken.”

Privacy laws

For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.

The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.

Marriott set up a website and call center for customers who believe they are at risk.

The FBI said anyone contacted by Marriott should “take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.”

Passport numbers have previously been part of a hack, though it’s not common. They were among records on 9.4 million passengers of Hong Kong-based airline Cathay Pacific obtained in a breach announced in October.

Combined with names, addresses and other personal information, passport numbers are a greater concern than stolen credit card numbers because thieves could use them to open fraudulent accounts, said analyst Ted Rossman of CreditCards.com.

Hotels long a source of information

The data purloining highlights just how dangerous hotels can be for people worried about their privacy.

“Hotels have long been important government sources of local information for tracking foreigners: reservation systems and loyalty programs took the surveillance global and made it easier for us to give up our privacy,” said Colin Bastable, CEO of Lucy Security.

Intelligence agencies including the U.S. National Security are well plugged into the global travel industry “by fair means or foul,” he said, nongovernment cybercriminals now have the same hacking tools.

“Consumers have become collateral damage,” he said. “And we are all consumers.” He advises providing hotels with as little information as possible when making reservations and checking in.

Last year, the cybersecurity firm FireEye highlighted an effort in which Russian state agents allegedly tried to infiltrate the reservation systems of hotels in Europe and the Middle East.

21 million Starwood program members

When its acquisition by Marriott was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it was too early to say what financial impact the breach might have on the company. It said it has cyber insurance and is working with its carriers to assess coverage.

Elected officials were quick to call for action.

The New York attorney general opened an investigation.

Virginia Sen. Mark Warner said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers “shoulder the burden and harms resulting from these lapses.”
…

The data stolen from the Marriott hotel empire in a massive breach is so rich and specific it could be used for espionage, identity theft, reputation attacks and even home burglaries, security experts say.

Hackers stole data on as many as 500 million guests of former Starwood chain properties over four years including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.

It is one of the biggest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.

Especially sensitive data

But the target here — hotels where high-stakes business deals, romantic trysts and espionage are daily currency — makes the data gathered especially sensitive.

Jesse Varsalone, a University of Maryland cybersecurity expert, said the affected reservation system could be extremely enticing to nation-state spies interested in the travels of military and senior government officials.

“There are just so many things you can extrapolate from people staying at hotels,” Varsalone said.

And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn’t be home, said Scott Grissom of LegalShield, a provider of legal services.

Starwood brand hotels

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.

Email notifications for those who may have been affected begin rolling out Friday and the full scope of the breach was not immediately clear.

Marriott was trying to determine if the purloined records included duplicates, such as a single person staying multiple times.

Breach undetected for a while

Security analysts were especially alarmed to learn of the breach’s undetected longevity. Marriott said it first detected it Sept. 8 but was unable to determine until last week what data had possibly been exposed because the thieves used encryption to remove it in order to avoid detection.

Marriott said it did not yet know how many credit card numbers might have been stolen. A spokeswoman said Saturday that it was not yet able to respond to questions such as whether the intrusion and data theft was committed by a single or multiple groups.

Cybersecurity expert Andrei Barysevich of Recorded Future said Saturday he believed the breach was financially motivated.

The cybercrime gang expert in credit card theft such as the eastern European group known as Fin7 could be a suspect, he said, noting that a dark web credit card vendor recently announced that 2.6 million cards stolen from an unnamed hotel chain would soon be available to the online criminal underworld.

“We will have to wait until an official forensic report, although, Marriott may never share their findings openly,” he said.

Marriott said the stolen credit card information was encrypted but the hackers may have obtained the “two components needed to decrypt the payment card numbers.” It said it cannot “rule out the possibility that both were taken.”

Privacy laws

For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.

The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.

Marriott set up a website and call center for customers who believe they are at risk.

The FBI said anyone contacted by Marriott should “take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.”

Passport numbers have previously been part of a hack, though it’s not common. They were among records on 9.4 million passengers of Hong Kong-based airline Cathay Pacific obtained in a breach announced in October.

Combined with names, addresses and other personal information, passport numbers are a greater concern than stolen credit card numbers because thieves could use them to open fraudulent accounts, said analyst Ted Rossman of CreditCards.com.

Hotels long a source of information

The data purloining highlights just how dangerous hotels can be for people worried about their privacy.

“Hotels have long been important government sources of local information for tracking foreigners: reservation systems and loyalty programs took the surveillance global and made it easier for us to give up our privacy,” said Colin Bastable, CEO of Lucy Security.

Intelligence agencies including the U.S. National Security are well plugged into the global travel industry “by fair means or foul,” he said, nongovernment cybercriminals now have the same hacking tools.

“Consumers have become collateral damage,” he said. “And we are all consumers.” He advises providing hotels with as little information as possible when making reservations and checking in.

Last year, the cybersecurity firm FireEye highlighted an effort in which Russian state agents allegedly tried to infiltrate the reservation systems of hotels in Europe and the Middle East.

21 million Starwood program members

When its acquisition by Marriott was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it was too early to say what financial impact the breach might have on the company. It said it has cyber insurance and is working with its carriers to assess coverage.

Elected officials were quick to call for action.

The New York attorney general opened an investigation.

Virginia Sen. Mark Warner said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers “shoulder the burden and harms resulting from these lapses.”
…

A U.S. judge in California has granted preliminary approval of a $48 million settlement for investors who said Volkswagen AG made false and misleading statements about its excess diesel emissions. 

Lawyers for the investors, who include police and other municipal pension funds, had estimated that the maximum they could have recovered was $147 million. But Judge Charles Breyer said the settlement agreed to in August appeared “fair, adequate and reasonable.” 

VW, in a statement, said Friday that the “proposed settlement agreement eliminates the uncertainty and considerable costs of protracted litigation in the United States and is in the best interests of the company.” The ruling was issued late Wednesday. 

Buybacks

In total, Volkswagen has agreed to pay more than $25 billion in the United States for claims from owners, environmental regulators, states and dealers, and has offered to buy back about 500,000 polluting U.S. vehicles. The buybacks will continue through 2019. 

The German automaker admitted in September 2015 to secretly installing software in nearly 500,000 U.S. cars to cheat government exhaust emissions tests. The vehicles had emitted up to 40 times the legally allowable pollutants. 

In 2017, VW also pleaded guilty of fraud, obstruction of justice and falsifying statements in a U.S. court. Under the plea deal, the automaker agreed to sweeping reforms, new audits and oversight by an independent monitor for three years. 

Federal prosecutors in Detroit unsealed criminal charges in May against former VW Chief Executive Officer Martin Winterkorn, who remains in Germany. Two other former VW executives have pleaded guilty in the investigation and are in prison. 

In total, nine people have been charged in the United States. 

Breyer set a date for a fairness hearing to allow further comment on the August settlement for May 10, after which a final ruling will be issued. 
…