The reason the practice of collecting consumer data is so prevalent is that it is very easy to do and opens potential opportunities for the business in future. Never mind that it exposes consumers to risks.
The practice won't stop until consumer data becomes a liability for any business touching it. At that time, only businesses that are actually able to utilize the data to derive revenue sufficient to compensate the liability will continue to collect it. Hopefully, in many cases the revenue would come about as a result of creation of some value for the consumer.
> contact details, loyalty account information and additional personal details such as gender and birthdays
I'm always wondering why a random service would need a date of birth (apart from validating "the person is an adult"). Some of them give you a special promo for your birthday, but I guess I can live without that.
Except banking & government services, I typically provide a fake one if required, because, WTF?
Name + DOB to disambiguate are the lookup keys they pass to data brokers to identify you, given a government ID (required to check in to a hotel). It gives them access to things like address history, email address history (for crosslinking of account records), credit rating, marketing channel tags, et c.
Same goes for the phone number that some website registrations demand. It's not to call you, it's to lookup your name and address and annual income.
Huh, I chose a random date from the year before I was born and use it whenever sites ask for my birthday. I’ve never had one come back and say that isn’t really my birthday.
It's because marketing teams like to send you emails on your birthday to "make you feel special", because apparently a lot of people can't see through this tactic.
Entering your birthday is one of the main methods for account recovery for legacy systems like schools, hospitals, government websites, etc. It's stupid and many companies have moved away from that, but it was definitely more of a thing a few years ago.
Whats to burst, storage is dirt cheap and they get their tiny data breach fines (if any) whether or not they store the color of your second dogs favorite chew toy with the rest of the info.
Okay, then collecting the data is expensive. Storage being cheap really doesn't matter. You can store tons of unstructured data but that data isn't valuable until it is structured which takes time and money.
Organizing the data is part of collecting it. For something like customer checkin data it would seem to be organized right at the point of collection. The clerk types your data into a database record and submits it to the store.
My father and I both have the same first and last name, and same mailing address Our birthdays are two days apart. We use the same pharmacy. DOB (including year) is important!
I've never given my birthday or gender to a hotel, so my best guess is that they just have this info for some people but not most (rewards programs, perhaps?). It's possible they write it down when I give them my ID, but it seems like a lot of work for very little payoff.
In the US it is common now to swipe the driver’s license in order to verify age, at places as varied as bars and nightclubs, liquor stores, general shops that also sell liquor, and such.
All you need to prove is your age, but the company that puts the scanner in place (in the case of bars and restaurants) collects all the info on the DL. Walgreens collects all the info and correlates it with your CC if you don’t pay by cash. Etc.
Any major hotel will simply swipe your DL and will populate the guest record with its info.
Huh? I don't think I've ever checked into a hotel and not been asked to hand over my driver's license so the clerk can punch in a bunch of info from it onto their machine.
I assume it's to help them track you down if you cancel your credit card, trash the room, and flee.
Every time when I asked for my copied ID to be watermark when checking-in at hotels, they always gave me a strange look - as if I do not trust their information security.
Yeah, I would like some more details. Not sure I understood what exactly it means to "watermark" the ID. Is the goal to change it subtly to find out if it was leaked? Or is the goal to redact parts of it?
The last breach was November of of 2018 . They have had a year and a half to fix their abysmal security practices. Instead they choose to focus their efforts in that time on a ridiculous branding juggernaut("Bonvoy".) Seriously fuck this company. I hope people vote with their wallet.
Disclaimer: I did a lot of the work for marriott.com to run Microservices about 3+ years ago.
With that said, this is surprising to me: Information Protection at Marriott was one of the biggest hurdles to get the new version of their .com up and running, and the 2018 hack came from the Starwood Acquisition.
This one? There's really no good excuse for. Well, forcing employees to change their password every 30 days and keeping 12 months of password retention probably didn't help (super common to just suffix the month/year with your known password to get around that check). Either that, or it was a genuine bad actor/employee inside MI. Anything's possible, I guess.
Every Marriott I have ever been in was chosen for me, because of their business-friendly group booking system. There's an agent-principle problem with hotels that rely on corporate group rate and conference customers.
I went to the fedex store in a Marriott a couple of blocks from here to drop off a pre-paid parcel, and they wanted a $20 "convenience" fee to leave it on the desk. Maybe Marriott doesn't need to care about guest infosec because guests are the product, not the customer.
I mean, no one pays $27 of their _own_ money for a continental breakfast...
Wow, never heard of paying to drop off a package. Is that common? I thought the shipping fees or postage if gov post office is what’s suppose to pay for that.
Sure but I meant in the general sense. Even if they are mostly corporate bookings it's not great for a company if their employees personal details are there for the easy taking. Company's can and do change travel their travel policies as well.
Is it safe now to just assume that most everything about me has been exposed to someone? My only hope is that the number of places I've provided bogus information to creates enough noise that the truth is obscured some.
Probably (Mastercard provides free monitoring of leaked databases: https://mastercardus.idprotectiononline.com/enrollment/embed...) however the service is kinda garbage because they censor it so much that I have no idea what of my data is actually leaked), but from a quick Google search it looks like you've voluntarily given out a lot about yourself anyways. I think most people have and are lulled into a sense of false security simply because no one has a need to target them yet. Sort of like the "I've done nothing illegal so I have nothing to fear" mentality but substitute government with criminals.
I often wonder how big my data footprint is. I don't have any social media, and I cycle between a few handles on any publicly facing site I keep an account with. I suppose Google must have all of my search history associated with my main email address, but I use several different emails and browsers in my day to day.
I guess I'm wondering how good all of these companies are at sharing data between themselves. What kind of data is exposed when I use my primary email to log into Zoom or Spotify on a work computer, or my phone, or one of my relative's computers? To what extent do these companies coordinate and share this data?
It all just seems like a really big unknown to me, and I'm relatively tech savvy.
This is the new norm. These hacks are not going to stop until these companies are actually punished for these breaches. One of the many things that are contributing to loss of faith in our system.
How does one verify that the reported details exposed in the breach are the actual details? If that's impossible or really hard to do, wouldn't Marriott deny culpability given the pervasiveness of identity/CC fraud?
Shocking that outsourced IT can't secure customer data. In my own experience with outsourced IT (specifically outsourced to India) it was extremely worrying that the people managing an IT infrastructure had no idea about very basic IT and had to ask the same questions over and over.
The paycheques of staff at these firms come from following process. The big perk they offer competent employees is to get a US or EU work visa and be deputed on-site (that is easily a 10X salary hike for people with less than 10 years of experience), and that perk is how they keep salaries low.
You could get more competent people, but they are less likely to follow process (which violates contract terms), and would cost more.
Edit: Also, if you work in one of the big service firms for a US client, you will have to do your day job, and then return to the office later at night to have meetings on US time.
This is a good reason to carry a fake ID and a corporate credit card issued in the same name. (Most banks will allow you to issue subaccount cards on a corporate credit line in any name you type in the box.)
Being able to predict when you might be at a given hotel in the future (which is possible from one's stay history, e.g. a conference you attend every year) is tremendously useful for blackmailers, kidnappers, and the like.
I personally refuse to allow my PII in these databases on these grounds, and these days it's impossible to get a hotel room without an ID, so this is the only option.
The practice won't stop until consumer data becomes a liability for any business touching it. At that time, only businesses that are actually able to utilize the data to derive revenue sufficient to compensate the liability will continue to collect it. Hopefully, in many cases the revenue would come about as a result of creation of some value for the consumer.