Hotel chain Marriott International has today announced that it has been hit by a second data breach exposing the personal details of “up to approximately 5.2 million guests”.
The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.
The hotel company has stressed that not all data was exposed for each person.
Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.
The data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise. Marriott has said that it has notified relevant authorities, and has begun notifying those whose data was exposed in the breach. It has also set up a dedicated website to help those impacted by the breach.
“Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” the company wrote in a statement.
“The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.”
Second Marriott data breach a key blow for company
The data breach follows a severe incident discovered in 2018 that saw the records of millions of guests exposed over the course of several years.
The previous incident centred on the Starwood hotel chain, a Marriott subsidiary, and exposed more severe customer data, including passport details. It ultimately saw the company slapped with a £99m fine under GDPR, one of the highest fines to date.
Today’s news is a concerning sign for the company, as it suggests that it has failed to learn vital lessons from its previous incident.
“A second attack is usually guaranteed after a breach of this scale but it is rare that threat actors actually gain entry a second time,” said Jake Moore, cybersecurity specialist at ESET.
“This is usually because targeted businesses bolster extra layers of protection where they can. Victims usually enter an underground ‘suckers list’ but it just adds embarrassment if they struck a further time. This may in fact rub salt to a relatively fresh wound.”
It is also likely to cause significant reputational damage as a result of the incident – a particularly severe problem given that many of its hotels will currently be suffering from a loss of business as a result of the coronavirus.
“As if the hotel industry isn’t having enough time of it as it is at the moment, news of yet another data security breach will make travelers even more nervous of booking rooms,” said Graham Cluley, independent cybersecurity expert and host of the Smashing Security podcast.