Marriott International hotel chain in second data breach

The Marriott International hotel chain has fallen victim to its second major data breach in as many years, after information of 5.2 million guests was accessed using the login credentials of two employees at a franchise property.

The latest breach affected a guest services application used by hotels operated and franchised under its various brands, the firm said in an online disclosure notice.

“We believe this activity started in mid-January 2020,” said a spokesperson. “Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.

“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s licence numbers.”

Compromised information may involve contact details, including postal and email addresses and phone numbers; information relating to customer loyalty accounts, but not passwords; personal details such as employers, gender and birth dates; partnerships and affiliations, such as details of linked airline loyalty programmes; and guest preferences, such as room preferences and languages.

All Marriott customers impacted by the breach were emailed earlier today (31 March), and all Marriott Bonvoy members affected have had their account passwords disabled and must now reaccess and secure their accounts.

The firm has set up a self-service online portal for affected guests, as well as a contact centre, which can be reached from the UK on 0800 345 7018, and is also offering affecting customers the option to enrol in Experian’s IdentityWorks data monitoring service for free for the next 12 months.

Marriott warned that customers should be alert to the potential for phishing attempts to be made against them in the coming weeks, and urged those who have stayed at its hotels to be wary of anybody calling or emailing purporting to represent the company and asking for any information – such as payment cards, accounts or passwords. “Marriott will never call or email you to ask you to provide this information by phone or email,” said the spokesperson.

Although large, this latest incident is a drop in the ocean compared to Marriott’s 2018 data breach – which was at first thought to have affected 500 million people, although this was later revised down by over 100 million, seven million of them in the UK.

The 2018 breach affected reservations at its Starwood properties between 2014 and September 2018, and included information such as names, addresses, passport numbers, Starwood account information, birth dates, arrival and departure information and reservation dates.

As a result of the previous incident, the Information Commissioner’s Office (ICO) moved to fine Marriott International £99m under the European Union’s General Data Protection Regulation (GDPR).

The ICO criticised Marriott for failing to conduct due diligence on the IT and security systems of Starwood when it acquired the business in 2016, but highlighted that the firm had co-operated with its investigations and shown evidence that it had made improvements to its cyber security posture in the light of the first breach. The latest incident will cast doubt on how effective Marriott’s security reforms have actually been.