Marriott data breach compromised up to 5.2 million customer records

Marriott has disclosed a major data breach affecting up to 5.2 million customer records on its website.

Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the hotel chain identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.

Marriott believes this activity started in mid-January 2020. Upon discovery, the login credentials were disabled, an investigation was initiated, and monitoring was heightened. The investigation is ongoing, and the company reported that it currently has “no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

Marriott believes that the following information may have been involved, although not all of this information was present for every guest involved:

  • Contact Details (e.g., name, mailing address, email address, and phone number)
  • Loyalty Account Information (e.g., account number and points balance, but not passwords)
  • Additional Personal Details (e.g., company, gender, and birthday day and month)
  • Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
  • Preferences (e.g., stay/room preferences and language preference)

On March 31, 2020, Marriott sent emails about the incident to guests involved. It has set up a self-service online portal for guests to be able to determine whether their information was involved in the incident and, if so, what categories of information were involved. It has also established a dedicated call center resources for guests to obtain more information.

In available geographies, Marriott has offered its guests the option to enroll in a personal information monitoring service, free of charge for 1 year, provided by Experian, a global data and information services provider.

Marriott has disabled the passwords of Marriott Bonvoy members whose accounts were compromised, and will be asked to change their passwords at the next login. It is also asking these members to enable multi-factor authentication.

The chain is in touch with authorities who are investigating the breach. This is the second major data breach for the hospitality brand in recent history.

Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group, commenting on the breach, said: “Since employees often have access to sensitive customer data, creating appropriate alerts to detect credential misuse is particularly difficult. Examples of behaviour to look out for includes: time of day (i.e., is the employee clocked in), scope of access (i.e., is the accessed data outside of their normal role), and volume of data (i.e., is the access consistent with how an employee would access data to address customer requirements).”