Tag Archives: Marriott

In Case You Thought GDPR Was Overblown – Its Not

When GDPR first went into effect in May 2018, people talked about horror stories of fines to the tune of 4% of a company’s total global revenue.

Then reality hit and there were no fines or tiny fines.  Or so it seemed.

The problem with regulators is that it always takes them a while.

Legitimately, you do want them to make sure that they only issuing fines when appropriate.

This week we have two big fines on the horizon.

The UK Information Commissioner’s Office (ICO) has decided to fine Marriott 99 million Pounds Sterling or roughly $125 million for the Starwood breach.  While not the end of the world for a company like Marriott and it is even possible that they have insurance to cover some or all of that,  Marriott is fighting it.  (Source: BBC).

Also in the UK, The ICO decided to fine British Airways 183 million Pounds Sterling or about $225 million for a website breach that affected about a half million people.  That represents 1.5% of their global revenue for 2017. Source: BBC.

Some people were hoping that the various data protection authorities were going to be all bark and no fine, but reality is a little different.

We have already seen many smaller fines.  But it is all relative.  A Polish taxi cab company was fined 160,000 Euros for failing to delete data that they could not justify why they retained it.  160,000 Euros for a taxi company might be harder to swallow than 183 Pounds for BA.

And from the scuttlebutt, what we hear is expect many more fines during 2019 and 2020 as the authorities ramp up their staff and complete investigations.  As of January of this year, authorities had received about 60,000 complaints (Source: Law.com).  Helen Dixon, the Irish Data Protection Commissioner, had 29 people on her staff in 2015 – before GDPR.  Ireland is where companies like Facebook have their European HQs due to tax reasons.  Helen has a staff of 133 right now with 30 openings and is anticipating adding more staff in 2020.

Companies big and small should not plan on flying under the radar because even if one of the data protection authorities don’t single you out, if your users are among those 60,000 complaints — you still could wind up being investigated.

Security News for the Week Ending December 21, 2018

Patches This Week

Microsoft issued an emergency out of band patch for an Internet Explorer zero day bug that affects IE 9, 10 and 11 on Windows 7,8,10 and the related server versions.  The bug allows a hacker to remotely execute code by getting a victim to view a web page, HTML document, PDF or other file that is rendered by IE’s scripting engine.  See details here.

The developers of the most popular database in the world based on the number of installations, SQLite, released a patch that fixes a bug that affects millions of distinct apps and billions of installations, including the Chrome browser on Windows, Macs, iPhones and Android devices.  Read the details here.


Taylor Swift Spies on Her Fans

In the turnabout is fair play department, Taylor Swift’s security team used facial recognition technology at (at least) one of her recent concerts to sniff out stalkers.  Using a kiosk of rehearsal videos with a spy cam embedded in it, Swift’s team took photos of everyone who watched the video and compared it to a database of suspected stalkers.  They did not report if they found any or what they did with the images after the concert. Since a concert is likely considered a public venue, customers probably have no expectation of privacy, so Swift would not need to disclose that she was using video surveillance.  Source: The Register.


Marriott Breach Traced to China

What do the Office of Personnel Management breach and the Anthem breaches have in common with the Marriott breach?  According to some sources, they are all traced back to China.  The Marriott breach is now being traced to China’s Ministry of State Security, China’s civilian spy agency.

Their objective is to build up massive dossiers on hundreds of millions of Americans to use in future attacks.  Like OPM, like Anthem, much of the Marriott data – like when you traveled, where you traveled, how long you stayed, who was at a particular hotel at the same time (mistresses, spies, information leakers and otherwise), all ages quite well.

All of this in spite of pressure being exerted by the Trump administration on China to stop hacking us.  Is the pressure just making them hack us even more?  Not clear, but it doesn’t seem to be helping much. (Source: the New York Times).


Muslim-American U.S. Citizen is Suing U.S. Government for Detaining Him at the Airport

A Muslim-American traveler was  detained at the Los Angeles airport (LAX) while trying to board a flight to the Middle East.  Customs asked him a bunch of questions, searched his luggage and wanted him to unlock his phone, which he initially refused.  He was handcuffed and detained for four hours and missed his flight.  When he asked if he was under arrest and needed a lawyer and was told no.  Eventually, after many hours, he relented and unlocked his phone.  CBP examined the phone and possibly imaged the phone.

Since he is a natural born U.S. citizen there are limits to what CBP can do, but it is interesting that he was leaving the U.S. and not entering it when he was detained,

He is now suing the U.S. government.  That is always a dicey deal, so I would doubt that this is going to go very far, but it is interesting.  Source: The Register.


Facebook Shared Your Data with 150 Partners Without Telling You

The Times is reporting that Facebook was sharing your messages, contact information and friends with around 150 vendors including Netflix, Spotify, Microsoft, the Royal Bank of Canada and many others.  Facebook says that they didn’t do that without users permission, but if they did ask for permission, it was not in a way that anyone was aware that they were granting it.  Facebook says they only did that to improve your Facebook experience (i.e. sell more ads) and that most of these programs have been terminated (since it was completely above board – not).  Facebook says this did not violate their 2012 consent decree with the FTC, but likely the FTC will decide whether that is true on their own.  Facebook did admit that this raises user trust issues.  Likely true.  Source: HuffPo.

What Do December Breach Announcements Point Out

First it was Marriott.  The breach of Marriott’s Starwood division systems exposed data on 500 million clients and triggered multiple lawsuits and investigations.

That breach was four years in the making and across two different management teams – first at Starwood and then at Marriott.


This week 1-800-Flowers announced that it too was breached.  The Canadian division’s web site was breached.  In 2014.  They detected the breach in September 2018, four years into it.


How do hackers remain inside the systems of large companies for four years?

Were the hackers targeting Marriott or 1-800-Flowers?  Probably not, but once they got in they probably thought they went to hacker heaven.

If hackers can do that to large companies, what about small companies?

Bottom line is that smart hackers want to stay in your system for as long as possible to maximize the “value”.

If you are stealing only credit cards, you can’t wait too long because credit cards expire.  In the Marriott case, which is now linked to hackers working for the Chinese, they stole a lot of other useful information for identity theft that has a much longer shelf life.

Also, it seems to be taking Marriott a long time to figure out what was taken.  I am not clear that they even really know now.

Big companies already know that they are target of attackers, but so are small companies.

As companies increase the use of cloud based systems, detecting the attacks could be harder. 

Are you asking your cloud providers – all of them – who is responsible for detecting breaches?  I bet for many providers, they will say it is you.  And who responds to them?

Are you ready to respond to an incident.  Including figuring out what you are going to say on social media and how you are going to respond to social media chatter.  Sometimes that chatter can get pretty brutal.

Companies need to prepare for and test how they are going to respond.

Small companies say it won’t happen to them, but, while the Marriott and 1-800-Flowers type of breaches get lots of press, the vast majority, by numbers, of breaches happen to companies with a few employees up to a couple of hundred employees.

Both of these breaches were outed when the companies reported the breaches to authorities, so if you think you are going to keep your breach quiet, that is likely impossible unless it is really small.

Get prepared, stay prepared and be thankful if you don’t have to activate that preparation.

Information for this post came from Threat Post.

FCC Going After Companies That Block Personal WiFi

Some of you may remember that the FCC fined Marriott $600,000 a year ago when it was disclosed that Marriott was blocking personal WiFi hot spots so that customers were forced to use the Hotel’s convention centers WiFi, which often costs hundreds of dollars a day or more.

This summer, the FCC fined Smart City, an ISP for convention centers and hotels, $750,000 for doing the same thing.

Now they are fining M.C. Dean $718,000 for blocking personal WiFi connections.  M.C. Dean charges exhibitors up to $1,000 a day for WiFi access at the Baltimore Convention Center.

The FCC has proposed to fine Hilton $25,000 for obstructing an investigation by failing to turn over documents for over a year.  They said that fine could go up a lot if Hilton continues to fail to hand over documents related to WiFi blocking.

From the hotel’s and provider’s standpoint, they don’t want anyone to interfere with their very expensive WiFi service.

From the FCC’s standpoint, the law says that you cannot block free spectrum even if it might interfere with you making money by selling access to that spectrum.

It certainly appears that blocking WiFi signals to force you to buy their service could be a standard practice at major hotel chains, especially in the convention center areas.  In my experience in staying at hotels, my personal WiFi hot spot often does not work.

The FCC says that the blocking tools are not exactly precise in nature and sometimes blocked WiFi signals in passing cars in Baltimore.

M.C. Dean said that they did use “auto-block” mode which automatically attempts to kill any WiFi connection that is not going to a paid session.

By fining these companies a few million dollars collectively, the companies are not going to go broke, but I would not be surprised if fines go much higher for repeat offenses.

The fine for jamming can go as high as $112,500 per act or $16,000 per day.  That means if you block just 1,000 sessions, you could be fined $112 million.  That would likely get people’s attention.  1,000 sessions could occur in 1 day at a busy convention center.

Unfortunately, as more people use WiFi, there will be competition for access and possibly more of this kind of activity.

Clearly, charging you $1,000 a day for WiFi access makes these hotels a lot of money.  Maybe not enough to pay a hundred million dollar fine, but a lot of money none the less.

On the other hand, if big companies start cancelling conventions over it, that will get the companies’ attention.

Material for this post came from Network World.

Marriott Fined $600,000 by FCC For Messing With People’s Personal Wi-Fi Hotspots

According to an article on CNN.com and other places, the FCC has fined Marriott $600,000 for doing what I suspect other properties have been doing also but not (yet) caught at.

According to CNN, Marriott, for reasons unknown, decided that they should be allowed to kill visitors Wi-Fi hot spots that were not connected to the hotel network at all.

Some people speculate this is because they want to sell you their Wi-Fi access.  At the event in question, at a Marriott property in Nashville (Gaylord Opryland), the hotel was selling Wi-Fi access for $1,000 per device.  I assume this was at a convention center event.  Some admins speculate that they killed the personal Wi-Fi access points by masquerading as the user and sending DEAUTHs.

Marriott contends this is legal;  the FCC has a different opinion.  Marriott said they were merely “protecting” their customers and that they will try to convince the FCC to change their rules. They are required to file compliance plans every three months for three years and this covers all Marriott properties anywhere in the US.

Mitch Tanenbaum