Olde Hornet
Well-Known Member
Marriott's breach response is so bad, security experts are filling in the gaps — at their own expense
https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/?yptr=yahoo
Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations had been stolen from its Starwood database.
One problem: the email sender’s domain didn’t look like it came from Marriott at all.
Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.
But what makes matters worse is that the email is easily spoofable.
Often what happens after a data breach, scammers will capitalize on the news cycle by tricking users into turning over their private information with their own stream of fake messages and websites. It’s more common than you think. People who think they’re at risk after a breach are more susceptible to being duped.
https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/?yptr=yahoo
Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations had been stolen from its Starwood database.
One problem: the email sender’s domain didn’t look like it came from Marriott at all.
Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.
But what makes matters worse is that the email is easily spoofable.
Often what happens after a data breach, scammers will capitalize on the news cycle by tricking users into turning over their private information with their own stream of fake messages and websites. It’s more common than you think. People who think they’re at risk after a breach are more susceptible to being duped.