It's probably as good a time as any to mention that releasing major breach announcements on Fridays is a worn-out trope by this point. That didn't stop Marriott from announcing[1] a breach of Starwood's reservation system affecting 500 million people to kick off this Friday with a bang.
Another Friday Another Breach Announcement
If you weren't planning on sharing four years of your travel history, personal information, and passport numbers with a nameless and faceless attacker somewhere in the world this morning, don't worry: Marriott and Starwood took care of that for you. Marriott announced that it uncovered four-plus years[2] of a previously unknown, unexpected, and unauthorized data sharing program that includes travel details, passport numbers, and credit card data. About 500 million of us (at least three of this blog's authors included) found out this morning when Marriott announced a multiyear breach dating back to 2014. If that wasn't bad enough, it appears that Starwood had a shockingly poor level of database and network security that allowed attackers to capture names, addresses, date of birth, passport numbers, communication preferences, arrival and departure information, and so much more. The details are important, but to summarize the announcement: The attackers got everything they wanted.
Marriott has announced all the usual expected steps. It apologized, promised us it cares about security, provided a website and dial in number, and also offered credit monitoring[3]. This is comforting for those of us that have credit monitoring from our employers and the other... 15 or so breaches we've been a part of. At this point, most of us can monitor our credit monitors to see how long it takes for changes to propagate between each one with the number of breaches we've