Marriott International Hit By Second Cyber Attack of 5.2 Million Guests
Famed hotel chain Marriott International has announced the company was hit by a cyberattack that has exposed the personal information of “up to approximately 5.2 million guests.”
The breach, which began in January of 2020 is the second widespread cyberattack in just a number of years, after a 2018 data breach saw personal records of millions of guests exposed. In the 2018 breach, the personal information and even credit card and passport numbers were accessed by an unauthorised third-party of up to 500 million Marriott and subsidiary guests.
Marriott International confirmed the cyberattack via news release, stating that the company “announced that it was notifying some of its guests today of an incident involving a property system...at this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved,” the company said.
These details included names, mailing addresses, email addresses and phone numbers of guests, loyalty account information such as account number and points balance, date of birth, gender and employer details, any linked airline loyalty points as well as stay preferences.
According to reports, “the data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise.”
They company has stated that “at the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords of PINs, payment card information, passport information, national IDs, or driver’s license numbers,” the press release states.
"This is the kind of data that provides good raw material for cybercrime.” - Tyler Carbone
A report from CNBC quotes Tyler Carbone, chief strategy officer at Terbium Labs who said that “from what we know of the information exposed, this is the kind of data that provides good raw material for cybercrime.”
Marriott has reportedly notified relevant authorities, and is in the early stages of notifying those implicated in the breach. The company has launched a website for those impacted in the breach looking for support, and has unveiled some support services for those implicated, including a dedicated call center and access to twelve-months of personal information monitoring for free.
After the 2018 breach, the Marriott group said it would pay for replacement passports for anyone impacted if the company found that “customers have been the victims of fraud,” so it’s safe to assume the safe for the latest data breach, if a Marriott guest finds themselves on the receiving end of fraud stremming from information that was accessed on the Marriott’s networks.