The reason the practice of collecting consumer data is so prevalent is that it is very easy to do and opens potential opportunities for the business in future. Never mind that it exposes consumers to risks.
The practice won't stop until consumer data becomes a liability for any business touching it. At that time, only businesses that are actually able to utilize the data to derive revenue sufficient to compensate the liability will continue to collect it. Hopefully, in many cases the revenue would come about as a result of creation of some value for the consumer.
jakub_g 1484 days ago [-]
> contact details, loyalty account information and additional personal details such as gender and birthdays
I'm always wondering why a random service would need a date of birth (apart from validating "the person is an adult"). Some of them give you a special promo for your birthday, but I guess I can live without that.
Except banking & government services, I typically provide a fake one if required, because, WTF?
sneak 1484 days ago [-]
Name + DOB to disambiguate are the lookup keys they pass to data brokers to identify you, given a government ID (required to check in to a hotel). It gives them access to things like address history, email address history (for crosslinking of account records), credit rating, marketing channel tags, et c.
Same goes for the phone number that some website registrations demand. It's not to call you, it's to lookup your name and address and annual income.
irrational 1484 days ago [-]
Huh, I chose a random date from the year before I was born and use it whenever sites ask for my birthday. I’ve never had one come back and say that isn’t really my birthday.
Scoundreller 1483 days ago [-]
And for Dairy Queen, I gave them a date in the summer. Getting coupons in the middle of winter isn't too useful!
TechBro8615 1484 days ago [-]
It's not like they're checking in real time. There is some error rate in matching people via data brokers, so this trick just manifests itself in a lower cardinality of "enriched" profiles in their database.
swiley 1484 days ago [-]
It’s been a while since I checked in to a hotel but the only thing I remember giving them was my debit card.
Maybe I’m just so used to being asked for my ID I didn’t notice.
onlyrealcuzzo 1484 days ago [-]
It's because marketing teams like to send you emails on your birthday to "make you feel special", because apparently a lot of people can't see through this tactic.
rbanffy 1484 days ago [-]
I often edit my birthday to coincide with my stays.
harrisonjackson 1484 days ago [-]
You could just travel on your bday :D
sixstringtheory 1484 days ago [-]
But why only do it once a year?
saagarjha 1484 days ago [-]
Have you ever gotten perks out of it?
onetimemanytime 1484 days ago [-]
Gather as much as you can is their idea. It costs you nothing, but it may be valuable one day.
ntsplnkv2 1484 days ago [-]
I wonder if there will be a "data bubble" that will burst.
I mean, I would imagine a TON of places have my birthday now. How valuable is that information really?
farisjarrah 1484 days ago [-]
Entering your birthday is one of the main methods for account recovery for legacy systems like schools, hospitals, government websites, etc. It's stupid and many companies have moved away from that, but it was definitely more of a thing a few years ago.
zamadatix 1484 days ago [-]
Whats to burst, storage is dirt cheap and they get their tiny data breach fines (if any) whether or not they store the color of your second dogs favorite chew toy with the rest of the info.
ntsplnkv2 1484 days ago [-]
But that's exactly it - if it's so cheap, why is data so valuable?
jandrese 1484 days ago [-]
Storage is cheap, collecting the data is expensive. I mean this company had to run a national chain of hotels to collect this data. That's not easy.
ntsplnkv2 1484 days ago [-]
Okay, then collecting the data is expensive. Storage being cheap really doesn't matter. You can store tons of unstructured data but that data isn't valuable until it is structured which takes time and money.
jandrese 1484 days ago [-]
Organizing the data is part of collecting it. For something like customer checkin data it would seem to be organized right at the point of collection. The clerk types your data into a database record and submits it to the store.
rbanffy 1484 days ago [-]
Until it becomes a liability under the GDPR...
TylerE 1484 days ago [-]
My father and I both have the same first and last name, and same mailing address Our birthdays are two days apart. We use the same pharmacy. DOB (including year) is important!
Ndymium 1484 days ago [-]
Don't they use personal ID number (e.g. SSN) to differentiate people? Or do you live in a place where you don't have those numbers?
swiley 1484 days ago [-]
Not everyone in the US has an SSN.
distances 1484 days ago [-]
Same name? Is that common where you live? That would be .. unconventional around here, to put it mildly.
TylerE 1484 days ago [-]
Sure, very common.
John Smith, John Smith Jr...
distances 1484 days ago [-]
Right, now that I think about it I'm familiar at least with the George Bush case of like father, like son.
jariel 1484 days ago [-]
It's mostly the YOB that's valuable; 'basic demographics' is a powerful tool.
Full DOB can probably isolate you from other people with same name for other marketing purposes.
They do have 'adult v child' stuff so they for sure have legit reasons for wanting to know in addition to sleazy reasons.
gkoberger 1484 days ago [-]
I've never given my birthday or gender to a hotel, so my best guess is that they just have this info for some people but not most (rewards programs, perhaps?). It's possible they write it down when I give them my ID, but it seems like a lot of work for very little payoff.
gumby 1484 days ago [-]
In the US it is common now to swipe the driver’s license in order to verify age, at places as varied as bars and nightclubs, liquor stores, general shops that also sell liquor, and such.
All you need to prove is your age, but the company that puts the scanner in place (in the case of bars and restaurants) collects all the info on the DL. Walgreens collects all the info and correlates it with your CC if you don’t pay by cash. Etc.
Any major hotel will simply swipe your DL and will populate the guest record with its info.
lotsofpulp 1484 days ago [-]
I’m not aware of any major hotel brand that swipes driver’s licenses yet in the US.
jandrese 1484 days ago [-]
Huh? I don't think I've ever checked into a hotel and not been asked to hand over my driver's license so the clerk can punch in a bunch of info from it onto their machine.
I assume it's to help them track you down if you cancel your credit card, trash the room, and flee.
lotsofpulp 1484 days ago [-]
But they don’t swipe it.
gumby 1484 days ago [-]
The last hotel I stayed in, a W, did it as I checked in. And hmm, just realised they’re owned by Marriott.
1484 days ago [-]
dave5104 1484 days ago [-]
Seems like having a birthday (and therefore age) for everyone checking into a hotel could be valuable for business intelligence and other analytics.
reedwolf 1484 days ago [-]
Luckily, Mariott doesn't have anything else to worry about right now.
icebraining 1484 days ago [-]
Pandemic aside, they still have a $100M GDPR fine hanging from a previous breach!
Every time when I asked for my copied ID to be watermark when checking-in at hotels, they always gave me a strange look - as if I do not trust their information security.
imglorp 1484 days ago [-]
Would you elaborate how to do this?
eneveu 1484 days ago [-]
Yeah, I would like some more details. Not sure I understood what exactly it means to "watermark" the ID. Is the goal to change it subtly to find out if it was leaked? Or is the goal to redact parts of it?
pergadad 1484 days ago [-]
Smart idea, thanks.
bogomipz 1484 days ago [-]
The last breach was November of of 2018 . They have had a year and a half to fix their abysmal security practices. Instead they choose to focus their efforts in that time on a ridiculous branding juggernaut("Bonvoy".) Seriously fuck this company. I hope people vote with their wallet.
imroot 1484 days ago [-]
Disclaimer: I did a lot of the work for marriott.com to run Microservices about 3+ years ago.
With that said, this is surprising to me: Information Protection at Marriott was one of the biggest hurdles to get the new version of their .com up and running, and the 2018 hack came from the Starwood Acquisition.
This one? There's really no good excuse for. Well, forcing employees to change their password every 30 days and keeping 12 months of password retention probably didn't help (super common to just suffix the month/year with your known password to get around that check). Either that, or it was a genuine bad actor/employee inside MI. Anything's possible, I guess.
elipsey 1484 days ago [-]
Every Marriott I have ever been in was chosen for me, because of their business-friendly group booking system. There's an agent-principle problem with hotels that rely on corporate group rate and conference customers.
I went to the fedex store in a Marriott a couple of blocks from here to drop off a pre-paid parcel, and they wanted a $20 "convenience" fee to leave it on the desk. Maybe Marriott doesn't need to care about guest infosec because guests are the product, not the customer.
I mean, no one pays $27 of their _own_ money for a continental breakfast...
Keverw 1484 days ago [-]
Wow, never heard of paying to drop off a package. Is that common? I thought the shipping fees or postage if gov post office is what’s suppose to pay for that.
elipsey 1484 days ago [-]
I think the Fedex Store is operated by a private firm, and can therefore charge whatever it likes.
bogomipz 1484 days ago [-]
Sure but I meant in the general sense. Even if they are mostly corporate bookings it's not great for a company if their employees personal details are there for the easy taking. Company's can and do change travel their travel policies as well.
SketchySeaBeast 1484 days ago [-]
I imagine this will probably be mostly duplicate data from last years data breach. What a continual mess.
Drip33 1484 days ago [-]
On the bright side, nobody else is booking hotels anymore so they have time to fix their systems this time around.
waterfowl 1484 days ago [-]
they've furloughed 2/3 of their corporate HQ staff
Yup and the individual hotels are being cut just as hard if not harder. Bad days to be in the hospitality biz.
phyalow 1484 days ago [-]
It's not because I signed upto Bonvoy in January this year and just got an email. Anyone putting together a class action?
1484 days ago [-]
1484 days ago [-]
ogre_codes 1484 days ago [-]
Is it safe now to just assume that most everything about me has been exposed to someone? My only hope is that the number of places I've provided bogus information to creates enough noise that the truth is obscured some.
chrischen 1484 days ago [-]
Probably (Mastercard provides free monitoring of leaked databases: https://mastercardus.idprotectiononline.com/enrollment/embed...) however the service is kinda garbage because they censor it so much that I have no idea what of my data is actually leaked), but from a quick Google search it looks like you've voluntarily given out a lot about yourself anyways. I think most people have and are lulled into a sense of false security simply because no one has a need to target them yet. Sort of like the "I've done nothing illegal so I have nothing to fear" mentality but substitute government with criminals.
notkaya 1484 days ago [-]
I often wonder how big my data footprint is. I don't have any social media, and I cycle between a few handles on any publicly facing site I keep an account with. I suppose Google must have all of my search history associated with my main email address, but I use several different emails and browsers in my day to day.
I guess I'm wondering how good all of these companies are at sharing data between themselves. What kind of data is exposed when I use my primary email to log into Zoom or Spotify on a work computer, or my phone, or one of my relative's computers? To what extent do these companies coordinate and share this data?
It all just seems like a really big unknown to me, and I'm relatively tech savvy.
president 1484 days ago [-]
This is the new norm. These hacks are not going to stop until these companies are actually punished for these breaches. One of the many things that are contributing to loss of faith in our system.
What protections/power do consumers have when their personal information is exposed like this?
foob4r 1484 days ago [-]
Complain about it online. /s
thelock85 1484 days ago [-]
How does one verify that the reported details exposed in the breach are the actual details? If that's impossible or really hard to do, wouldn't Marriott deny culpability given the pervasiveness of identity/CC fraud?
joshstrange 1484 days ago [-]
I wonder how many more instances of "taking out the trash" we are going to see as this pandemic continues. Suddenly it's like everyday is Friday...
ycombonator 1484 days ago [-]
Marriot is an outsourced shop (TCS, Cognizant et. al). They are an empty shell run by “managers”.
stevewodil 1484 days ago [-]
Shocking that outsourced IT can't secure customer data. In my own experience with outsourced IT (specifically outsourced to India) it was extremely worrying that the people managing an IT infrastructure had no idea about very basic IT and had to ask the same questions over and over.
I do not trust Accenture. Fuck them.
devdas 1483 days ago [-]
The paycheques of staff at these firms come from following process. The big perk they offer competent employees is to get a US or EU work visa and be deputed on-site (that is easily a 10X salary hike for people with less than 10 years of experience), and that perk is how they keep salaries low.
You could get more competent people, but they are less likely to follow process (which violates contract terms), and would cost more.
Edit: Also, if you work in one of the big service firms for a US client, you will have to do your day job, and then return to the office later at night to have meetings on US time.
Wmamouth 1484 days ago [-]
Marriott is not having a great month.
arghblarg 1484 days ago [-]
That headline, geez... remove the last four words and I guess it could be much, much worse :o
This is a good reason to carry a fake ID and a corporate credit card issued in the same name. (Most banks will allow you to issue subaccount cards on a corporate credit line in any name you type in the box.)
Being able to predict when you might be at a given hotel in the future (which is possible from one's stay history, e.g. a conference you attend every year) is tremendously useful for blackmailers, kidnappers, and the like.
I personally refuse to allow my PII in these databases on these grounds, and these days it's impossible to get a hotel room without an ID, so this is the only option.
Rendered at 07:18:25 GMT+0000 (Coordinated Universal Time) with Vercel.
The practice won't stop until consumer data becomes a liability for any business touching it. At that time, only businesses that are actually able to utilize the data to derive revenue sufficient to compensate the liability will continue to collect it. Hopefully, in many cases the revenue would come about as a result of creation of some value for the consumer.
I'm always wondering why a random service would need a date of birth (apart from validating "the person is an adult"). Some of them give you a special promo for your birthday, but I guess I can live without that.
Except banking & government services, I typically provide a fake one if required, because, WTF?
Same goes for the phone number that some website registrations demand. It's not to call you, it's to lookup your name and address and annual income.
Maybe I’m just so used to being asked for my ID I didn’t notice.
I mean, I would imagine a TON of places have my birthday now. How valuable is that information really?
John Smith, John Smith Jr...
Full DOB can probably isolate you from other people with same name for other marketing purposes.
They do have 'adult v child' stuff so they for sure have legit reasons for wanting to know in addition to sleazy reasons.
All you need to prove is your age, but the company that puts the scanner in place (in the case of bars and restaurants) collects all the info on the DL. Walgreens collects all the info and correlates it with your CC if you don’t pay by cash. Etc.
Any major hotel will simply swipe your DL and will populate the guest record with its info.
I assume it's to help them track you down if you cancel your credit card, trash the room, and flee.
https://www.theregister.co.uk/2020/01/13/ico_british_airways...
With that said, this is surprising to me: Information Protection at Marriott was one of the biggest hurdles to get the new version of their .com up and running, and the 2018 hack came from the Starwood Acquisition.
This one? There's really no good excuse for. Well, forcing employees to change their password every 30 days and keeping 12 months of password retention probably didn't help (super common to just suffix the month/year with your known password to get around that check). Either that, or it was a genuine bad actor/employee inside MI. Anything's possible, I guess.
I went to the fedex store in a Marriott a couple of blocks from here to drop off a pre-paid parcel, and they wanted a $20 "convenience" fee to leave it on the desk. Maybe Marriott doesn't need to care about guest infosec because guests are the product, not the customer.
I mean, no one pays $27 of their _own_ money for a continental breakfast...
https://wtop.com/business-finance/2020/03/marriott-furloughs...
I guess I'm wondering how good all of these companies are at sharing data between themselves. What kind of data is exposed when I use my primary email to log into Zoom or Spotify on a work computer, or my phone, or one of my relative's computers? To what extent do these companies coordinate and share this data?
It all just seems like a really big unknown to me, and I'm relatively tech savvy.
If you live in the EU or California and didn't send Marriott a GDPR/CCPA deletion request after the first breach please do it now: https://yourdigitalrights.org/?company=marriott.com
https://sensorstechforum.com/500-million-customers-marriott-...
I do not trust Accenture. Fuck them.
You could get more competent people, but they are less likely to follow process (which violates contract terms), and would cost more.
Edit: Also, if you work in one of the big service firms for a US client, you will have to do your day job, and then return to the office later at night to have meetings on US time.
Being able to predict when you might be at a given hotel in the future (which is possible from one's stay history, e.g. a conference you attend every year) is tremendously useful for blackmailers, kidnappers, and the like.
I personally refuse to allow my PII in these databases on these grounds, and these days it's impossible to get a hotel room without an ID, so this is the only option.