If Marriott didn't have enough problems with this merger, it just got worse.

It appears SPG was exposed since 2014........Wow!

Personal Cards: Amex Plat | Amex Delta Res | CSR | Citi AA Exec Business Cards: Ink+ | Amex BGR

Yep just saw this callig @K-in-Boston ..

Not good for SPG/Marriott PR, that's for sure.

Also not like all of my potentially breached data (except CC numbers) wasn't already out there anyway, and even that's Chase's problem now.

500 million? Can you imagine the lawyers salivating at the size of that class action?

---

@iced wrote:

 

Also not like all of my potentially breached data (except CC numbers) wasn't already out there anyway, and even that's Chase's problem now.

---

It's sad to say, but at this point I'm just kind of "yeah, whatever" when it comes to this stuff now.  Since it was only the Starwood side, they don't have much more info than my name, DOB, address, primary email address, and potentially my SPG card number.  Most of that's public information anyway, and I'm not at all worried about any fraudulent transactions on an Amex card since I'm confident with their track record on my Gold Card over the years that Amex will likely call me before I'm even aware of the transactions.

Also a big shout out to BBC News for waking me up 5 minutes before my alarm went off this morning with the push notification on this story!  

---

@Anonymous wrote:

What really bothers me, even though I shouldnt be in this breach since ive never used marriot/starwood related services, is that this is the first data breach i have yet seen to flat out say they cant guarantee that CC information wasnt taken.

 

They said they dont know if that information was compromised, which is scary, ive never seen a victim claim anything but "financial information remained secure, etc"

 

 

---

Including card data in the breach was (probably) a CYA move because assessing the exact extent of damage or data loss on compromised systems is impossible unless the intruders were sloppy amateur-hour script kiddies. Rootkits have gotten very sophisticated over the years, and it's often impossible to say for certain what data has been or has not been pulled off a system. At that point, the only sound assumption is that all data on the system is tainted or leaked. If you can't prove only X and Y data was breached, you have to CYA and say it was all breached. Game over.

The reason some breaches are able to say PCI data was or was not taken is because that data is usually segregated on entirely different systems and networks for regulatory reasons. The amount of due diligence required to certifiy that PCI- or HIPAA-protected data is secure is much higher (and more expensive and inconvenient) than general personal information such as names, addresses, and phone numbers. It sounds like in this case, either the systems hosting PCI data were the ones compromised or there was evidence that the intruders accessed/communicated with the PCI systems. If I can't prove what data was exchanged between systems, and I know one system trusts the other, I'm back to the above - I have to assume both systems were at risk.

---

@kilroy8 wrote:

500 million? Can you imagine the lawyers salivating at the size of that class action?

---

On a data breach?

There are plenty of reasons for class action, but I don't think this qualifies at least under current US law?  Actually I don't think it would even on the EU's GPDR.