Magazine Button
Marriott International confirms data breach of guest information

Marriott International confirms data breach of guest information

Enterprise SecurityLatest ThreatsTop Stories

Marriott International has confirmed a data breach of guests who have stayed at its hotels.

It is the second major data breach to hit the company in less than two years.

A statement on the company’s website said that hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February, it was identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.

They believe the activity started in mid-January and believe the following information may have been involved, although not for every guest involved: contact details, loyalty account information, additional personal details such as birthday or gender, partnerships and affiliations and stay/room preferences.

Marriott sent emails about the incident to guests involved on March 31.

Upon discovery, Marriott confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring and arranged resources to inform and assist guests.

Although their investigation is ongoing, they currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs or driver’s licence numbers.

They set up a self-service online portal for guests to be able to determine whether their information was involved in the incident and, if so, what categories of information were involved.

Terry Greer-King, VP EMEA at SonicWall, commented on the breach: “The Information Commissioner’s Office’s £99 million fine for Marriott in 2019 for a breach of GDPR was supposed to create much-needed reform on how the company processes and secures data. It appears that certain lessons are yet to be learned.

“With up to 5.2 million customer records leaked in this week’s breach, compromised material is believed to include phone numbers and email addresses. Leaked emails often give hackers enough leverage to target customers through phishing attacks. On the surface, the fact that there were no leaked passwords or financial details should limit the fallout for customers. The reality however is different, with cybercriminals able to use the leaked emails and contact details to create a process that extorts financial details or spreads malware further down the line.”

Samantha Humphries, Security Strategist at Exabeam, added: “If there is something positive to say about this breach notification, it’s that Marriott’s security team seems to have minimised the attacker’s dwell time to a little over a month.  While still significant, 5.2 million compromised guests is a drastic reduction from almost half a billion the last time this organisation identified an attack.  Despite this improvement – if we can call it that – whether the organisation did enough to shore up its security posture after the last breach will certainly be called into question.” 

While Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Center), said: “This data breach at Marriott International highlights the importance of performing a detailed threat model on business operations and then implementing appropriate monitoring controls to ensure that threat vectors can be quickly identified. In this case, the attack vector was via compromised employee credentials. Those credentials provided access to guest services within individual properties under the Marriott brand. Since employees often have access to sensitive customer data, creating appropriate alerts to detect credential misuse is particularly difficult. Examples of behaviours to look out for include: time of day (i.e., is the employee clocked in), scope of access (i.e., is the accessed data outside of their normal role), and volume of data (i.e., is the access consistent with how an employee would access data to address customer requirements). Implementing such controls requires organisations to look not only at the application security and how its deployed, but the intended usage patterns incorporating human factors data.”

Click below to share this article

Browse our latest issue

Magazine Cover

View Magazine Archive