Second Marriott Data Breach Affects 5.2M Guests

BETHESDA, MD—Marriott International has had its second data breach in less than two years.

The company is notifying some of its guests of an incident involving a property system. The notice explains what occurred, the information involved, the measures taken by Marriott to investigate and address the issue, how the company is assisting guests, and steps guests can consider taking.

Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.

Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs or driver’s license numbers.

At this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved:

  • contact details (name, mailing address, email address and phone number)
  • loyalty account information (account number and points balance, but not passwords)
  • additional personal details (company, gender, and birthday day and month)
  • partnerships and affiliations (linked airline loyalty programs and numbers)
  • preferences (stay/room preferences and language preference)

Marriott is sending emails to guests involved. Marriott has also set up a dedicated website (www.mysupport.marriott.com) and call center resources with additional information for guests. The call center resources can be reached by calling the numbers listed on the dedicated website. The email sent to guests and the website also contain a list of steps guests involved can consider taking and information about enrolling in a personal information monitoring service that Marriott is providing.

Marriott carries insurance, including cyber insurance, commensurate with its size and the nature of its operations, and the company is working with its insurers to assess coverage. The company does not currently believe that its total costs related to this incident will be significant.

The company previously revealed a data breach in November 2018 that ultimately affected 318 million guests.

Cyber Security Experts React

Kelly White, CEO, RiskRecon, noted, “The essential practices of protecting systems and applications are well known—they are enumerated in the NIST Cybersecurity Framework. Companies can choose to either proactively implement those practices consistently in their systems, or they can choose to be frequently compromised. There is no other alternative. This breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring. Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior.”

Alyn Hockey, VP product management with cyber security firm Clearswift, agreed. “Less than 18 months after one of the biggest data breaches in history, one would have hoped that Marriott had really locked down its cyber security to ensure it didn’t happen again,” he said. “So, the news that the details of a further 5.2 million Marriott customers have been breached is alarming.”

He continued, “This type of data theft is becoming more and more commonplace, and data stolen in this instance included detail such as name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, date of birth, linked loyalty scheme information from other companies—this is all highly valuable in the wrong hands.”

Hockey said protecting data involves three things. “Successful cyber security is not just a question of investing in the latest software; it’s about a combination of people, processes and technology,” he said. “If an organization is lacking any one of these three, then they will be vulnerable.”

Hockey expects the company will be receiving another large fine in the U.K. for this latest breach. “When people use a hotel, they rightly expect their data to remain private and customer data security should be a priority,” he said. “Marriott will probably be looking at another large fine for this latest breach, but the long-term brand implications might be even worse.”