Previously burned by a hack of its Starwood reservations system, Marriott International on Tuesday disclosed another major data breach, this one affecting 5.2 million of its guests.
According to the Bethesda, Md.-based hospitality giant, the source of the breach was an application that its hotels use to provide guests with various services. Marriott did not name the specific app.
Affected information includes guests' names, mailing addresses, email addresses, phone numbers, loyalty account numbers and point balances, employers, genders, birthdays (day and month only), airline loyalty program information, and hotel preferences such as room and language selections. There is currently no evidence that Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver's license numbers were compromised, the company said in an online notification.
"The kinds of information disclosed in the latest Marriott breach might seem innocuous, but it is precisely this kind of intelligence that enables threat actors to better target attacks on consumers. Simply: the more I know about you, the better chance I have of fooling you," said Gerrit Lansing, field CTO, at Stealthbits.
Marriott said it discovered the breach in late February 2020, after determining that an unauthorized party had been accessing guest information since mid-January, using the stolen app login credentials of two franchise property employees.
"Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests," said Marriott's breach disclosure, which was supplemented by notification emails sent to affected guests.
"Breaches that use valid credentials can be harder to detect because the attack looks like a valid login," said Tim Erlin, VP of product management and strategy at Tripwire, in reaction to the incident. "In these cases, organizations often have to look at what changes that attacker is making as they carry out their objective in order to detect the malicious activity."
In response to the incident, Marriott has established a self-service portal for customers to see if they are affected, and also set up a series of call centers. Affected guests are eligible for one free year's enrollment in a personal information monitoring service. Additionally, impacted Marriott Bonvoy members have had their passwords changed and their multi-factor authentication enabled.
Marriott customers must now be wary of their information being leveraged by cybercriminals. "End users want to make sure they continue to be vigilant when it comes to spear phishing or targeted emails about their accounts, as criminals will mix this in with the COVID-19 scam emails that are in circulation," said James McQuiggan, security awareness advocate at KnowBe4. "By staying vigilant against the COVID-19 emails, people may drop their guard when they see a data breach email scam informing them to change their account password and unknowingly click a link or open an attachment."
Kelly White, CEO at RiskRecon, criticized Marriott for the data loss incident. "This breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring," said White. "Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior."
On Nov. 30, 2018, Marriott disclosed that its Starwood Hotel brand had suffered a years-long breach that affected 500 million individuals entered into the Starwood reservations system. The number of victims was eventually reduced to 383 million, and the incident, which actually began prior to Marriott's 2016 acquisition of Starwood, was later reportedly attributed to Chinese state hackers.