Cyber Blog

Marriott International finds itself a victim of another major data breach, making it the second attack the hotel chain company has suffered in the past three years. The company announced on March 31st with details of the breach which affected 5.2 million hotel guests. The breach started in mid-January this year and went on for about six weeks, bringing it to the end of February before it was detected.

Hotels that are under Marriott International umbrella brand make use of an app to serve hotel guests. The hotel chain company found out at the end of February that the login details of two staff members were being used to access a large amount of guest information.

The login credentials have since been disabled and the hotel group where the two employees work are currently under investigation. For some reason, Marriott claims that the people behind the data breach did not take personal guest information such as drivers license numbers or passport details. Marriott International provided the statement:

“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy (its loyalty scheme) account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

However, given Marriott’s response to the data breach, we believe that it might have accessed personal information of customers. Contact details such as, name, phone number, email address, and mailing address. Marriott loyalty details may have also been accessed, which include, points balance and account number, although not passwords. Other personal information that may have been accessed include birthday, gender, company, affiliations and partnership details of linked airline loyalty programs. Lastly, guest preferences of choice of language, room, and stay could have also been exposed.  

Marriott contacted affected customers, asking them to reset their passwords and enable two-factor authentication. Customers who are likely affected are offered free enrollment into Identity Works for one year. Other worried customers can check a dedicated portal to see whether they were part of the affected group. To prevent phishing attacks, the company has provided an official email address (marriott@email‑marriott.com) for customers to reach them on.

As mentioned above, this is Marriott’s second time of suffering a data breach in three years, the previous one was in 2018 and it affected about 400 million customers. The hackers also went for the personal information of the hotel guests. Insurance paid for the cost of the 2018 breach and we might be seeing that happen with this data breach as well.

One may wonder why Marriott is falling victim to data breach again so soon. The CEO of RiskRecon, Kelly White notes a lack of enforcement on two-factor authentication and user account activity monitoring. In a statement she said:

“Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior,”.

Marriott International may not suffer a great deal from this data breach except that its stock is down by 7%. However, the hackers are already armed with enough personal information to create a ripple effect of security breaches in the coming weeks or months.

This is this year’s second major data breach affecting a hotel, the first being MGM Resorts. MGM Resorts announced in February that a data breach affected more than 10.6 million of its customers, including high profile customers such as Jack Dorsey and Justin Bieber.