Ex-Starwood Senior VP of Technology Dishes on Marriott’s Data Breach

A couple of weeks ago Marriott revealed a massive data breach affecting 500 million records. They didn’t tell us very much about what happened, other than that in some cases even passport numbers were revealed and that the data that was hacked came from legacy Starwood reservations since 2014.

  • The numbers didn’t really make sense — how on earth do they get to 500 million records?

  • They emphasized that it was the Starwood database as though it wasn’t their fault, even though the hack had been ongoing for a couple of years after the merger while Marriott was managing the system (indeed, most of the Starwood IT folks were long gone, merger victims).

  • They also seem to have pushed the idea that China could be at fault, though there’s little evidence for this. Tools used in previous government hacks are available elsewhere, and there’s not even an indication that it was just a single hack.

There have been some head fakes towards taking responsibility, like promising to pay for new passports for those people whose identities are already compromised. Too little, too late, for those people and also something very low cost to Marriott. The truth is you’re on your own to protect yourself, so here’s what you should do.

Now a former Starwood Senior Vice President of Technology is speaking out with inside knowledge to shed some light on what would have happened here. The breach almost necessarily had to have occurred in the data warehouse to reach the levels of exposed data Marriott reports, and unsurprisingly he thinks Marriott has a lot more responsibility here than the way they’ve portrayed things publicly.

Here’s why he says it has to be the data warehouse which was being managed straight away by Marriott since the merger:

It is known that soon after Marriott took control of Starwood, they began to migrate the Starwood Data Warehouse to Marriott. From a purely business perspective this makes sense, since one of the most valuable and rapidly actionable Starwood assets would have been its historical booking records.

…Marriott seems to suggest the breach was made in the reservation system.

However, it is unlikely this system would have had 500 million records, given the practice to remove booking records a number of days after checkout.

Even assuming half a million rooms in Starwood’s inventory at 90% occupancy, with average lengths of stay of two days, and up to two years of advance booking, such a database would not exceed 200 million records.

As for the SPG database, it would contain one record from each SPG member, but not even under the most optimistic scenarios would Starwood have had 500 million registered SPG guests.

..However, given that some of that data had already been migrated to Marriott, it is hard to say for certain whether the breach occurred in the Starwood system, the Marriott system, or in transit as a result of exposure during the Extract‐Transform‐Load process used during the migration.

He offers reasons to be skeptical that the breach took place in 2014, rather than there were records in the data warehouse which could have been taken that dated to 2014.

Regardless of what did or didn’t happen, and whom to blame, we’re clearly not getting the full story from Marriott. And since it’s our very sensitive personal information they failed to safeguard, we should be demanding it.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

Comments

  1. I have a real problem giving any more business to a company which treats its customers with such arrogant disdain.

    Who the hell do these people think they are trying to hide this stuff?

  2. Arrogant disdain has been the name of the game for Marriott ever since the moment they knew the merger was going through. Look at how they devalued gold status. Look at how they screwed over people redeeming for category 6 and 8 travel packages, then didn’t give out 30k point refunds unless you constantly wasted time calling in over months until you got lucky enough to get a rep to refund you. Hell even before the merger, their free breakfast policy is truly the most confusing in the industry. Everyone needs to dump Marriott because their arrogance is staggering. Too big to fail is too big to exist!

  3. Hello hackers, I stayed at some Marriotts and Westins, and here is my expired Visa card. Good luck with that info helping you, plus you already have this info on the dark web.

  4. Would you blame yourself if your home got broken into? Sure you locked your doors, and have a basic security system, but you did’t splurge and get the top of the line system, and you did’t pay for security guards 24/7 either!

    No system is infallible. The blame for hacks/thefts sits squarely with the criminals. It will keep happening until a significant number get prosecuted and jailed.

  5. I’ve actually heard from several different areas that China was indeed behind this hack; that the Justice Dept. already knows this; and that some major sanctions are headed their way over this.

    I guess we’ll see, but it does make some sense, given that Anbang was under agreement to buy Starwood (therefore I’m sure had access to their most sensitive info), before they eventually walked away.

  6. Yes, no system is infallible, but Marriott’s IT and customer service leave a lot to be desired, as demonstrated by the merger.

  7. @WR2 – This isn’t primarily about the criminal activity. This is about the coverup by Marriott. This disingenuous game of CYA that they’re playing will almost certainly end up becoming public. What they really need is a new board and a new CEO.

  8. “I have a real problem giving any more business to a company which treats its customers with such arrogant disdain.

    “Who the hell do these people think they are trying to hide this stuff?”

    I am stunned that as a gold member with I can’t even recall how many records in their systems from past stays I didn’t even receive an email about the breach until December 9th. It began “Dear Valued Guest”

    I’m cashing out my points and taking my business elsewhere. Screw you Marriott.

  9. @WR2, I fundamentally agree with your points, but there’s more to it. Consider this example: You have the security system you described (good but not perfect) and let a friend use your house for the weekend. When your friend leaves, he leaves the front door wide open. A thief wanders in and steals your stuff.

    Clearly the thief is the evildoer, but does your friend bear any culpability for not closing the door?

  10. “Arrogant disdain has been the name of the game for Marriott ever since the moment they knew the merger was going through. Look at how they devalued gold status.”

    You do understand that the new Gold is not the same as the old one. Gold now is closer to the previous Platinum. If you were Gold you should have been bridged to Platinum. I’m talking Marriott Rewards. I realize the Starwood program was devalued but that is the consequence of being acquired. I was lifetime Platinum on Marriott and am now lifetime Platinum Premier (which isn’t even being offered outside of this transition period to people already lifetime Platinum or that qualify by 12/31/18). I’ve got better benefits than before so very happy.

    Also, as a 39 year IT professional (including CTO and CIO of national companies) I can understand it was the legacy Starwood res system as opposed to the combined data warehouse as the ex Starwood IT VP proposed. They still haven’t said if 500 million unique customers or what constitutes a record. Also, given the structure of the merger there is likely little recourse for people hacked prior to the acquisition and, even afterwards, it would likely have to rise to the level of gross negligence (hard to prove) to get material payoffs. Suspect there will be class action suit, will be settled for a large amount (that will all go to attorneys) as opposed to wasting time on defense or a trail and then concession will be future protections and credit monitoring.

Leave a Reply

Your email address will not be published. Required fields are marked *