Cyber Security Center

Marriott discloses data breach affecting 5.2 million customers


Hotel chain Marriott disclosed a data breach impacting 5.2 million guests.

 

rsz_1michal-mrozek-jty14j3ec6w-unsplash

Photo by Michal Mrozek on Unsplash

Marriott revealed on the 31st that a security incident exposed information of approximately 5.2 million guests. An investigation into the incident is currently ongoing but from the information provided by the hotel chain, it appears that malicious attackers were able to steal login credentials of two employees, which they used to access guest information.

“At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” Marriott’s statement explains, adding that immediately after noticing the incident, they disabled the two login credentials, and an investigation was launched.

The hotel chain believes the activity started mid-January 2020. The attackers were able to access Marriott Bonvoy loyalty data, which includes names, mailing addresses, email addresses, phone numbers, account numbers, genders, dates of birth, and preferences data like language preference.

The full information accessed, according to Marriott:

  • Contact Details (e.g., name, mailing address, email address, and phone number);
  • Loyalty Account Information (e.g., account number and points balance, but not passwords);
  • Additional Personal Details (e.g., company, gender, and birthday day and month);
  • Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers);
  • Preferences (e.g., stay/room preferences and language preference).

The company has also said they do not believe information such as passwords, PINs, payment card information, passport information, national IDs or driver’s license numbers was accessed.

Customers can check whether they were affected by the incident by filling out this form. Impacted guests were also informed of the incident on March 31, 2020 via email. Their passwords have been disabled, and customers will need to create a new one when they login, as well as enable multi-factor authentication. Marriott is also offering some affected guests a free year of personal information monitoring service.

Marriott was affected by another cyber attack back in November 2019, when attackers gained access to Starwood Hotel’s reservation system, which allowed them to take off with personal information of more than 383 million customers.