Yes, it was only related to Marriott's timeshare and vacation club
owners. That's a separate business from the hotel chain with
separate computer systems. By the way, Marriott Corporation owns
less than 10% of the hotels that bear their logo -- the rest are all
franchises, many of which are managed by (but not owned by)
Marriott.
There has been a lot of press about identity theft and lost personal
information in recent years, mostly due to California's law that requires
notification of any lost data that **could** lead to identity
theft. The data elements required to assume someone's identity in
the U.S. are full legal name, date of birth, and social security
number. As hotel guests, the most that the hotel chain would have
is a name, home address and credit card number -- not enough for identity
theft, but of course, it is enough for credit card fraud.
It's been common practice in the Information Technology industry to send
backup tapes via 3rd parties (UPS, FedEx, etc.) to offsite storage
facilities. Until recently, no one gave much thought to encrypting
them -- we trusted the 3rd party not to lose them, and there actually has
never been a confirmed case of identity theft or credit card fraud based
on a lost backup tape. Keep in mind that backup tapes are in a
compressed format -- on it is a stream of letters, numbers and other
symbols, and you have to know the format to be sure of where one data
item begins and another one ends. Most of the lost backup tapes
turn up eventually, and for many reasons, these incidents are largely
noise that isn't as bad as the press makes it sound. On the other
hand, obfuscation isn't the same as security, so companies are taking
steps to encrypt backup tapes to secure them from prying eyes. Here
is an article that recaps 2005's most infamous data security
breaches. The ones to be really concerned about are incidents like
CardSystems, ChoicePoint and LexisNexis where the thieves penetrated
their live systems and were clearing taking information so they could use
it or sell it.
http://www.baselinemag.com/article2/0,1397,1834526,00.asp?kc=BANKT0209KTX1K0100464
-- Andy Oppel, N6AJO
Pacific Division Vice Director
(also Principal Data Architect, Ceridian and author of
"Databases Demystified" and "SQL Demystified", both
published by McGraw-Hill/Osborne)
At 10:17 AM 12/29/2005, you wrote:
Gary,
As far as I see, this only relates to employees, members and customers of
Marriott’s Time Share unit and not their hotels unit.
I believe that anything we are doing with Marriott for the board meetings
would be totally different. I have never given Marriott my social
security number nor my bank account number. I am not
concerned.
- Bill N3LLR
From: Gary Johnston
[mailto:gary@one.net]
Sent: Thursday, December 29, 2005 1:04 PM
To: arrl-odv
Subject: [arrl-odv:13430] Marriott customer data for 200,000
missing
As many of us are Marriott customers, I found the following
disturbing. /Gary KI4LA/
--
Marriott customer data for 200,000 missing
December 28, 2005
ORLANDO, Fla. --The timeshare unit of Marriott International Inc. is
notifying more than 200,000 people that their personal data are
missing after backup computer tapes went missing from a Florida
office.
The data relates to 206,000 employees, timeshare owners and
timeshare
customers of Marriott Vacation Club International, the company said
in a statement Tuesday. The computer tapes were stored in Orlando,
where the unit is based.
The company did not say when the tapes disappeared. They contained
Social Security numbers, bank and credit card numbers, according to
letters the company began sending customers on Saturday.
... (article continues) ...
http://www.boston.com/business/articles/2005/12/28/marriott_customer_data_for_200000_missing/