Live updates: Monzo customers and the Marriott group data breach


(Beatrice Borbon) #1

We don’t believe that Monzo customers are at a greater risk of fraud due to the Marriott group data breach. But we’re keeping a close eye on it.

You can find more details, live updates, and FAQs in our blog post👇


(Scott) #2

Good to know that your keeping your eye on this :clap: thank you Monzo :heart:


(Jack) #3

Very quick response! :+1:


(Alex) #4

I know it isn’t certain but
“Marriott did encrypt this information using Advanced Encryption Standard encryption (AES-128), but the company notes both components needed to decrypt payment card numbers may have been stolen.”

Source: https://www.theverge.com/2018/11/30/18119403/marriott-database-breach-starwood-hotels

?


#5

Marriott’s statement (http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/) says:

There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

Which can at once mean both “may have been stolen” (The Verge) and “there isn’t any information to suggest that this key was compromised” (Monzo).


(Daniel Chatfield) #6

It’s very difficult to prove a negative, the absence of evidence proving something didn’t happen doesn’t provide evidence that it did.

The fact that this access has been going on since 2014 gives a strong indication to me that they didn’t have access to card details as they’d have a strong incentive to use them if they did.

Naturally, we’ll continue to closely monitor this and act on any new information.


(Andre Borie) #7

Personally I wouldn’t care about the card details (which can change) but all the other data, including passport numbers.

Passport numbers aren’t as easy to change as a card number and are relied upon more and more companies as a security check (Starling Bank for example asked it multiple times to reset a password).


(Alex) #8

Very valid.

And @daniel, fair enough, v good point.

:pray:


(Dean Taylor) #9

Hi @natasha

Please consider rethinking the tone of this / future breach posts…

… slightly more caution in the reading of official breach posts with a “lawyers eye” / “pinch of salt”.

From the Monzo blog post:

you shouldn’t be at greater risk of financial fraud because no unencrypted card details have been leaked

I don’t believe even with the “shouldn’t” here rings true.

To be clear the official statement says:

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

With the two components being “the encrypted data” and the “encryption key”…

The official statement saying “not been able to rule out the possibility”, it would be more true to say (taken from the BBC post):

it could not rule out the possibility that the encryption keys had also been stolen

the company thinks the key may have been stolen too.

And thus “the card details may be accessible too” would be a more correct wording.


Also saying “shouldn’t be at greater risk of financial fraud” doesn’t lend itself to informing customers they are at higher risk of other types of fraud (identity, etc.) because of the other non-card details exposed in this data breach.


Perhaps if you are wanting to highlight a perhaps lower risk for Monzo customers you could mention the following:

  • The breach dates back to data from 2014 until 10th September 2018.
  • Most Monzo customers have had new cards from 2017 onwards with the switch over to “Monzo current accounts” reducing the risk time period.
  • Perhaps highlight the percentage of all payments now using 3DS verification via the app.
  • Highlight ongoing Monzo internal investigation and anti-fraud tracking.