Marriott Reports Data Breach Affecting 5.2 Million Guests
International hotel chain Marriott International has revealed a significant data breach that has compromised the information of approximately 5.2 million guests. This marks the second major cybersecurity incident for the company in recent years, following a 2014 breach that exposed the records of over 339 million customers.
The company disclosed in a statement that it discovered unauthorized access to guest information at the end of February 2020. The breach was enabled by the login credentials of two employees at a franchise location, suggesting a potential failure in account security protocols. Marriott indicated that this unauthorized access began in mid-January 2020. After confirming the breach, the credentials were promptly disabled, and the company initiated an in-depth investigation, implemented enhanced monitoring, and mobilized resources to assist affected guests.
The exposed data includes guest contact information such as names, addresses, emails, and phone numbers, alongside loyalty account specifics like account numbers and points balances. Other sensitive details, such as company affiliations, gender, dates of birth, room preferences, and language preferences, were also potentially accessed. Importantly, Marriott noted that there is currently no evidence indicating that guests’ payment card information, passwords, or other sensitive identifiers like social security numbers were compromised.
As part of its response, Marriott has created a self-service online portal to allow guests to verify whether their information was involved in the breach. The company is providing affected users with a one-year complimentary subscription to IdentityWorks, a personal information monitoring service. Additionally, Marriott has taken proactive measures by disabling the passwords of potentially affected Marriott Bonvoy members. These individuals will be prompted to change their passwords upon their next login and are encouraged to enable multi-factor authentication.
This breach follows a previously significant incident from 2014, when a vulnerability in Starwood Hotels’ guest reservation database—acquired by Marriott in 2016—led to an exposure of personal details of over 339 million guests, the ramifications of which were only recognized in late 2018. As a result of that incident, Marriott faced significant legal and financial repercussions, including a £99 million ($123 million) fine imposed by the UK’s Information Commissioner’s Office under GDPR regulations.
Cybersecurity experts emphasize the risks associated with such breaches. Gerrit Lansing, Field CTO at STEALTHbits, noted that while the information disclosed in this breach may seem relatively benign, it can significantly enhance the ability of threat actors to launch targeted attacks on individuals. The more personal data an attacker possesses, the higher the likelihood of successful deception.
The tactics and techniques likely employed in this latest breach align with several categories in the MITRE ATT&CK framework, including initial access through compromised credentials and potential privilege escalation owing to employee credential misuse. Such vulnerabilities underscore the importance of rigorous authentication and credential management practices, which remain critical defenses against similar risks in the future.
Marriott’s ongoing investigation highlights the urgent need for businesses, particularly in the hospitality sector, to fortify their cybersecurity measures and ensure they are equipped to handle potential data breaches effectively.
