Happy Holidays: We've Lost All Your Critical Data

from the how-nice dept

It's been one of the big themes this year, so perhaps it's not surprising at all to find out that the year is closing out with yet another big data breach. In this case, it's Marriott, who conveniently lost unencrypted backup tapes of an "identity theft's special" set of info on over 200,000 employees, time share owners and customers. Included in the data were every identity thief's dream starter kit: names, social security numbers, bank account numbers and credit card numbers. To apologize, Marriott has agreed to spend the $100 or whatever to give everyone impacted a free credit monitoring service -- which seems like the very least they could do.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Steven Friedrich (profile), 28 Dec 2005 @ 11:56am

    Liability

    The ONLY thing that will help to staunch this is for the companies that lose sensitive data to be held liable for $$$. It's sad that companies understand nothing else but, since most of the CEOs are amoral scum, the only thing that hurts them is big $$$ judgements or fines.

    link to this | view in chronology ]

  • identicon
    Brewski, 28 Dec 2005 @ 12:24pm

    No Subject Given

    Marriott has agreed to spend the $100 or whatever to give everyone impacted a free credit monitoring service

    This is a nice start, but not good enough. They should be paying damages along the lines of pain and suffering for the worry that this will cause their customers. They also need to be held 100% liable for any out of pocket expenses, including the time and attorney's fees that any identity theft victim incurs as a result of this breach.

    One would think that a "world class" company like Marriott would know better than to have unencrypted data floating around.

    link to this | view in chronology ]

    • identicon
      Craig Burnham, 28 Dec 2005 @ 12:30pm

      Re: No Subject Given

      They should be paying damages along the lines of pain and suffering for the worry that this will cause their customers. Sounds like you could be a trial lawyer.

      link to this | view in chronology ]

    • identicon
      John, 28 Dec 2005 @ 1:57pm

      Re: No Subject Given

      If they were a CISP Complaint company then it wouldn't have been lying around. Also, it should be everyones due dillegence to make sure that when you give any personal information it is being stored in accordance with Visa guidelines. It is not like identity theft is something new. With more and more use of the internet it is just becoming easier to do.

      link to this | view in chronology ]

    • identicon
      Lisala, 28 Dec 2005 @ 3:22pm

      Re: No Subject Given

      One would think that a "world class" company like Marriott would know better than to have unencrypted data floating around. I would think Mariott would send sensitive data to a document storage & protection company, where it's more secure and less expensive than some of the ideas I see floating around here. I'm really glad I haven't stayed at a Marriott recently.

      link to this | view in chronology ]

  • identicon
    Mike, 28 Dec 2005 @ 1:19pm

    No Subject Given

    With this just coming out you can't expect a company to share everything it plans on doing to help rectify the situation right away. The credit monitoring service is just a start. So why don't you judge Marriott after all the effects of this have come to light, and see how they've responded to everything. Something like this happenning to any company is just a matter of targeting. If someone wants their data bad enough, they can get it.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Dec 2005 @ 1:31pm

    No Subject Given

    Alright, while we're talking about who should be paying for the damages, what about the people who were in charge of keeping that data in the first place, the IT staff.
    Have them pay out of pocket with the 25k a year they make and you won't see people sad for what they've done, you'll see a bunch of IT workers going postal. CEOs may be the amoral ones, but they're doing the damage control one I think.

    link to this | view in chronology ]

  • identicon
    rwwise, 28 Dec 2005 @ 1:47pm

    Cost Effective

    From a guy who has done backups at a major company. It is more cost effective to pay the fines/whatever then it is to pay for encryption/data security on your back up tapes. Making backups for that amount of data is a VERY EXPENSIVE operation we are talking millions of dollars a year if not billions for the fortune 500. Encryption and/or security is anywhere from 4 to 20 times the backup cost in dollars. Excluding the time each night while it all encrypts. The guy who talked about amoral CEOs just doesnt get it. Its the IT manager who wont make the call to the CIO and say HEY I want another couple million for a backup system. And even if he did the CIO would say hell no your not blowing my budget like that. The CEO doesnt even hear about it until its too late.

    link to this | view in chronology ]

    • identicon
      Aaron Friel, 28 Dec 2005 @ 4:12pm

      Re: Cost Effective

      "Encryption and/or security is anywhere from 4 to 20 times the backup cost in dollars."
      From a teenager who has spent more than 5 minutes researching cryptography; given that AES and SHA are free, all it takes is a little implementation time. How hard is it to store the backup tapes by encrypting each one with a single-use key, writing it on paper and placing it in a storage room that is under guard, surveillance, or what-not.

      link to this | view in chronology ]

      • identicon
        Andrew Strasser, 28 Dec 2005 @ 9:01pm

        Re: Cost Effective

        Harder than most would think, but you can do anything with the right amount of money.

        link to this | view in chronology ]

        • identicon
          Carmen S., 29 Dec 2005 @ 5:00am

          Re: Cost Effective

          I think everyone has missed the point for the most part. Like the line from "Sneakers", "It's about the information....it's about who controls the information. I am in IT for my corporation and we have redundant backup plans and security encryption and disaster recovery strategies. The most important thing to realize is that we're messin' with people's lives here. Critical info that never used to be massively available, now somehow ends up in the basement of some degenerate who thinks stealing from someone else is basically OK, because even if he/she gets caught, it's not that big of a deal. To me...that's the real issue. We reward criminal behavior by not making people, corporations, anyone, accountable for damaging the lives of others. I'm tired of hearing about reactive compensatory solutions. If you want to play, you have to pay...make your security foolproof...value your customers...show some respect for privacy, and above all, commit your self to doing the right thing, even if you have to take your lumps in the process. Call me old school, but people are more than just a series of ones and zeros...

          link to this | view in chronology ]

  • identicon
    John, 28 Dec 2005 @ 1:54pm

    The price they have to pay.

    You have to realize that the Credit monitoring will be offered to all 200,000 people at $100.00 dollars a person. Now multiply that by 200,000 and it is quite an expensive mistake I am sure they will never make again, not to mention the legal troubles that will most definately follow.

    link to this | view in chronology ]

    • identicon
      George, 29 Dec 2005 @ 8:50am

      Re: The price they have to pay.

      You also might realize that $100 worth of "credit monitoring" might only cost Marriott in the range of $200,000-1,000,000. The credit monitoring service will instantly get 200,000 new subscribers, a percentage of which will stay on for years. And I can't imagine that Marriott would keep on paying indefinitley.
      They won't be out millions on this one unless someone can show actual damages.

      link to this | view in chronology ]

  • identicon
    SarbOx, 29 Dec 2005 @ 5:18am

    Knock knock

    Whos there?

    Sarbaines-Oxley.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.