Marriott Rewards email snafu, customers get test email in error

If you are a Marriott Rewards member you may have received an email from them recently that didn't quite make sense.  I got one, it looked something like this:
 
--------------------------------------------------------------------------------
Subject:  "Don’t miss your free night from Marriott Rewards"
 
Attributes
FIRST_NAME : YOUR_NAME_HERE
CUSTOMER_KEY : ######## (8 digit number that I have removed)
MR_NUMBER : ######### (9 digit number that I have removed)
MR_NUMBER_ENCRYPTED : (32 character value here also removed)
TEST Links
Hosted Email Link Using MR_NUMBER : With MR_NUMBER Link
Hosted Email Link with out MR_NUMBER : Without MR_NUMBER Link
Hosted Email Link with out Jennies Suggestion : With entrypted MR Number & Customer key
--------------------------------------------------------------------------------
 
I inquired with Marriott about this and it was apparently an error.  Looks like they were testing some functionality but emails got sent to actual customers.  Here is their response email.
 
--------------------------------------------------------------------------------
"Dear Valued Guest,

Yesterday morning, you received an email from Marriott in error. We were testing functionality to further enhance your online experience. During the testing process, a small number of emails erroneously deployed.

In the email, you may have noticed your name and a reference to your MR number. Rest assured, the information contained therein is private and no information specific to you or your account was shared with anyone else. To reiterate, this email was sent to you in error, but the contents of the message itself pertain only to you and your account.

Marriott is committed to your data security and the protection of your personal information. We apologize for any confusion our earlier email may have caused.

Best regards,
The Marriott Team"
 
--------------------------------------------------------------------------------
 
What it doesn't say is whether this information in the email was "sensitive".  Why would there be a field MR_NUMBER_ENCRYPTED?  I followed a few of the URL's in the email and information similar to the email content was there on an unprotected web page.  Hmmm.
 
 
Kenneth M. Smith    CISSP CISA GCIH
Information Protection, Privacy, PCI Consulting
Phone: 978-595-1536 (1KEN)
Twitter: @ken5m1th

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

Retail sales associates sentenced for role in credit card, bank fraud

Four men from Atlanta Georgia were sentenced this week by United States District Judge Orinda D. Evans on charges of bank fraud, credit card fraud and aggravated identity theft.

http://www.databreaches.net/?p=7839

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

I'm getting more reports of card fraud (cloned cards) taking place in the South East

Maybe a month ago I wrote about reports of card fraud taking place in North Carolina.  These were physical (card present) transactions in which other items of approximately $200 each were purchased.  These are likely gift cards or some other form of anonymous payment card.  This likely means that there was a stripe data breach and fake cards were made with the card stripe data.

I heard another report of this more recently, this time from a Discover Card customer.  Same MO, and the fraudulent transaction took place at a Walmart store just like the others.

A stripe data breach that has yet to be disclosed perhaps? 

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

The ad says "Don't try this at home". But why the heck not?

This is an ad I saw for an after-school program in the Boston area. I've walked by it a number of times and it aggravates me when I see it. I'll tell you why.

The advertisers message is that you should not let your child do things like this at home, but instead send them to a place outside of the home (for which you would need to pay) where your child will supposedly be allowed to do such things. But my question is, why not?

Why not let them get messy, take chances, be creative, and even make mistakes? And why not at home so family and friends can enjoy?

Kids should be given the opportunity to do things like this at home. As Randy Pausch said in his world famous presentation The Last Lecture, "let your kids paint their room".
I completely agree.

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

BCBS suspected breach impact not just North East, now close to a million Dr's

There was a story recently about a stolen personal laptop of a BCBS associate in Chicago that contained some PII of approximately 39,000 doctors.

It looks like this issue involved much more than just Doctors in the New England region. See below (via Twitter).

idexperts: RT @amednews Breaking: 850,000 doctors could be hit by potential data breach from insurer's stolen laptop http://bit.ly/z5crm
Original Tweet: http://twitter.com/idexperts/status/4663639559

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK