Happy Holidays: We've Lost All Your Critical Data

from the how-nice dept

It's been one of the big themes this year, so perhaps it's not surprising at all to find out that the year is closing out with yet another big data breach. In this case, it's Marriott, who conveniently lost unencrypted backup tapes of an "identity theft's special" set of info on over 200,000 employees, time share owners and customers. Included in the data were every identity thief's dream starter kit: names, social security numbers, bank account numbers and credit card numbers. To apologize, Marriott has agreed to spend the $100 or whatever to give everyone impacted a free credit monitoring service -- which seems like the very least they could do.

17 Comments | Leave a Comment..

If you liked this post, you may also be interested in...

Reader Comments (rss)

(Flattened / Threaded)

Liability
Steven Friedrich, Dec 28th, 2005 @ 11:56am

The ONLY thing that will help to staunch this is for the companies that lose sensitive data to be held liable for $$$. It's sad that companies understand nothing else but, since most of the CEOs are amoral scum, the only thing that hurts them is big $$$ judgements or fines.
[ reply to this | link to this | view in thread ]
No Subject Given
Brewski, Dec 28th, 2005 @ 12:24pm

Marriott has agreed to spend the $100 or whatever to give everyone impacted a free credit monitoring service
This is a nice start, but not good enough. They should be paying damages along the lines of pain and suffering for the worry that this will cause their customers. They also need to be held 100% liable for any out of pocket expenses, including the time and attorney's fees that any identity theft victim incurs as a result of this breach.
One would think that a "world class" company like Marriott would know better than to have unencrypted data floating around.
[ reply to this | link to this | view in thread ]
Re: No Subject Given
Craig Burnham, Dec 28th, 2005 @ 12:30pm

They should be paying damages along the lines of pain and suffering for the worry that this will cause their customers. Sounds like you could be a trial lawyer.
[ reply to this | link to this | view in thread ]
Re: No Subject Given
Brewski, Dec 28th, 2005 @ 12:43pm

Sounds like you could be a trial lawyer.
No &$&$# way! I'm an IT geek, thank God. Email system engineer.
[ reply to this | link to this | view in thread ]
Re: No Subject Given
Jack Thompson, Dec 28th, 2005 @ 1:10pm

I'm a trial lawyer
[ reply to this | link to this | view in thread ]
No Subject Given
Mike, Dec 28th, 2005 @ 1:19pm

With this just coming out you can't expect a company to share everything it plans on doing to help rectify the situation right away. The credit monitoring service is just a start. So why don't you judge Marriott after all the effects of this have come to light, and see how they've responded to everything. Something like this happenning to any company is just a matter of targeting. If someone wants their data bad enough, they can get it.
[ reply to this | link to this | view in thread ]
Re: No Subject Given
Anonymous Coward, Dec 28th, 2005 @ 1:19pm

Sounds like you're a republican.
[ reply to this | link to this | view in thread ]
No Subject Given
Anonymous Coward, Dec 28th, 2005 @ 1:31pm

Alright, while we're talking about who should be paying for the damages, what about the people who were in charge of keeping that data in the first place, the IT staff.
Have them pay out of pocket with the 25k a year they make and you won't see people sad for what they've done, you'll see a bunch of IT workers going postal. CEOs may be the amoral ones, but they're doing the damage control one I think.
[ reply to this | link to this | view in thread ]
Cost Effective
rwwise, Dec 28th, 2005 @ 1:47pm

From a guy who has done backups at a major company. It is more cost effective to pay the fines/whatever then it is to pay for encryption/data security on your back up tapes. Making backups for that amount of data is a VERY EXPENSIVE operation we are talking millions of dollars a year if not billions for the fortune 500. Encryption and/or security is anywhere from 4 to 20 times the backup cost in dollars. Excluding the time each night while it all encrypts. The guy who talked about amoral CEOs just doesnt get it. Its the IT manager who wont make the call to the CIO and say HEY I want another couple million for a backup system. And even if he did the CIO would say hell no your not blowing my budget like that. The CEO doesnt even hear about it until its too late.
[ reply to this | link to this | view in thread ]
The price they have to pay.
John, Dec 28th, 2005 @ 1:54pm

You have to realize that the Credit monitoring will be offered to all 200,000 people at $100.00 dollars a person. Now multiply that by 200,000 and it is quite an expensive mistake I am sure they will never make again, not to mention the legal troubles that will most definately follow.
[ reply to this | link to this | view in thread ]
Re: No Subject Given
John, Dec 28th, 2005 @ 1:57pm

If they were a CISP Complaint company then it wouldn't have been lying around. Also, it should be everyones due dillegence to make sure that when you give any personal information it is being stored in accordance with Visa guidelines. It is not like identity theft is something new. With more and more use of the internet it is just becoming easier to do.
[ reply to this | link to this | view in thread ]
Re: No Subject Given
Lisala, Dec 28th, 2005 @ 3:22pm

One would think that a "world class" company like Marriott would know better than to have unencrypted data floating around. I would think Mariott would send sensitive data to a document storage & protection company, where it's more secure and less expensive than some of the ideas I see floating around here. I'm really glad I haven't stayed at a Marriott recently.
[ reply to this | link to this | view in thread ]
Re: Cost Effective
Aaron Friel, Dec 28th, 2005 @ 4:12pm

"Encryption and/or security is anywhere from 4 to 20 times the backup cost in dollars."
From a teenager who has spent more than 5 minutes researching cryptography; given that AES and SHA are free, all it takes is a little implementation time. How hard is it to store the backup tapes by encrypting each one with a single-use key, writing it on paper and placing it in a storage room that is under guard, surveillance, or what-not.
[ reply to this | link to this | view in thread ]
Re: Cost Effective
Andrew Strasser, Dec 28th, 2005 @ 9:01pm

Harder than most would think, but you can do anything with the right amount of money.
[ reply to this | link to this | view in thread ]
Re: Cost Effective
Carmen S., Dec 29th, 2005 @ 5:00am

I think everyone has missed the point for the most part. Like the line from "Sneakers", "It's about the information....it's about who controls the information. I am in IT for my corporation and we have redundant backup plans and security encryption and disaster recovery strategies. The most important thing to realize is that we're messin' with people's lives here. Critical info that never used to be massively available, now somehow ends up in the basement of some degenerate who thinks stealing from someone else is basically OK, because even if he/she gets caught, it's not that big of a deal. To me...that's the real issue. We reward criminal behavior by not making people, corporations, anyone, accountable for damaging the lives of others. I'm tired of hearing about reactive compensatory solutions. If you want to play, you have to pay...make your security foolproof...value your customers...show some respect for privacy, and above all, commit your self to doing the right thing, even if you have to take your lumps in the process. Call me old school, but people are more than just a series of ones and zeros...
[ reply to this | link to this | view in thread ]
Knock knock
SarbOx, Dec 29th, 2005 @ 5:18am

Whos there?

Sarbaines-Oxley.
[ reply to this | link to this | view in thread ]
Re: The price they have to pay.
George, Dec 29th, 2005 @ 8:50am

You also might realize that $100 worth of "credit monitoring" might only cost Marriott in the range of $200,000-1,000,000. The credit monitoring service will instantly get 200,000 new subscribers, a percentage of which will stay on for years. And I can't imagine that Marriott would keep on paying indefinitley.
They won't be out millions on this one unless someone can show actual damages.
[ reply to this | link to this | view in thread ]

Add Your Comment

Infinium: Here, Have A Keyboard! See? It's... >>

<< Will ISP Quarantines Open The Door On The Two...

A word from our Sponsors...

Follow Techdirt

From the Techdirt Archive...

A word from our Sponsors...

Have a Techdirt Account? Sign in now. Want one? Register here
Name
Email	Get Techdirt’s Daily Email
URL
Subject
Comment	this is for spambots, do not use this
Options	Save me a cookie

Have a Techdirt Account? Sign in now. Want one? Register here
Name
Email	Get Techdirt’s Daily Email
URL
Subject
Comment	this is for spambots, do not use this
Options	Save me a cookie

Happy Holidays: We've Lost All Your Critical Data

from the how-nice dept

Reader Comments (rss)

Liability

No Subject Given

Re: No Subject Given

Re: No Subject Given

Re: No Subject Given

No Subject Given

Re: No Subject Given

No Subject Given

Cost Effective

The price they have to pay.

Re: No Subject Given

Re: No Subject Given

Re: Cost Effective

Re: Cost Effective

Re: Cost Effective

Knock knock

Re: The price they have to pay.

Add Your Comment

Techdirt RSS

Techdirt's Daily Email Newsletter

Top Posts - PostRank

Company

Contact

Tools & Services

More