[ISN] Marriott Discloses Missing Data Files

From: InfoSec News (isn@private)
Date: Wed Dec 28 2005 - 11:20:06 PST


Fowarded from: William Knowles <wk@private>

http://www.washingtonpost.com/wp-dyn/content/article/2005/12/27/AR2005122700959.html

By Michael S. Rosenwald
Washington Post Staff Writer
December 28, 2005

Marriott International Inc.'s time-share division said yesterday that
it is missing backup computer tapes containing credit card account
information and the Social Security numbers of about 206,000
time-share owners and customers, as well as employees of the company.

Officials at Marriott Vacation Club International said it is not clear
whether the tapes, missing since mid-November, were stolen from the
company's Orlando headquarters or whether they were simply lost.

An internal investigation produced no clear answer. The company
notified the Secret Service over the past two weeks, and has also told
credit card companies and other financial institutions about the loss
of the tapes.

The company began sending letters to time-share owners and customers
Saturday, and issued a press release about the loss yesterday. Company
officials said they delayed making the matter public until they had
researched what information was on the tapes and whom it affected, and
determined the issue was sensitive enough to warrant a broad
disclosure.

"At this point, we are taking all things into consideration," company
spokesman Ed Kinney said. "The tapes may have been taken, but they
could have been misplaced. We're still investigating the situation."

The Vacation Club has told time-share owners, customers and the
division's employees to be on the alert for changes to their credit
histories or accounts. So far no one has reported any misuse, Kinney
said. Those affected have been offered free credit monitoring
services.

"We regret this situation has occurred and realize this may cause
concern for our associates and customers," said Stephen P. Weisz,
president of Marriott Vacation Club International, a wholly owned
subsidiary of the Bethesda hotel chain. More than 280,000 families use
its time-shares worldwide.

The loss of Marriott's tapes is the latest in a series of high-profile
security lapses involving data that can be used in identity theft
schemes. In 2005, there were at least 134 data breaches affecting more
than 57 million people, according to the Identity Theft Resource
Center, a California nonprofit that helps people hurt by identity
theft and lobbies on computer-privacy issues.

Last February, ChoicePoint Inc. disclosed that it had released
thousands of reports containing names, addresses, Social Security
numbers and financial information to people posing as officials in
legitimate insurance, debt-collection and check-cashing businesses. In
June, MasterCard International said that Card Systems Solutions, which
processes credit card transactions, had been hacked and that forty
million people had their credit card information exposed.

Even high-security defense companies have been victimized. In January,
thieves stole computers from Science Applications International Corp.  
of San Diego that contained personal data on thousands of current and
past employees, including former military and intelligence officials.

It is not clear how many cases of identity theft have been caused by
the data breaches. There are about 10 million cases of identify theft
a year, with total losses of $53 billion, said Robert Douglas, a
Colorado privacy consultant and chief executive of PrivacyToday.com.

The costly identity theft schemes have caused state and federal
lawmakers to fight for tighter protection of personal data and quick
disclosures of breaches.

In 2003, California became the first state to pass a rigorous
disclosure law requiring that organizations inform individuals if
their personal information is compromised. More than 20 states have
passed similar laws since then. Congress is considering more than two
dozen bills on what companies should be required to do in data breach
cases.

"For the longest time, people have said it's the consumers' fault,"  
Douglas said. "They don't shred their bank statements at home, or what
have you. But since the California law was passed now we are learning
how much of this information has been breached and is floating around
out there."

"We try to be proactive in cases like this," Kinney said. "We followed
our own process of being open and proactive."

Kinney said the tapes, which require specialized equipment to access,
were the responsibility of the company's information resources group.  
Citing company policy, he declined to say if anyone from the group had
been dismissed or disciplined because of the disappearance of the
tapes.

© 2005 The Washington Post Company


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Fri Dec 30 2005 - 18:56:27 PST