Marriott Discloses Data Breach Affecting Around 5.2 Million Guests

Marriott is notifying some of its guests about an “incident involving a property system” according to its public statement released today. A cybersecurity breach, which is currently under investigation in cooperation with relevant authorities, was identified at the end of February, but the illicit activity is believed to have begun in mid-January 2020.

The personal information of as many as 5.2 million Marriott guests has been exposed through an apparent hack of “an application to help provide services to guests at hotels,” which used the login credentials of two employees at a particular franchise property.

There was no indication given as to whether the employees whose credentials were used to conduct the theft are themselves suspect in the inquiry.

While not all information was accessed for every guest involved, leaked details are believed to have included contact information, such as name, mailing address, phone number and email address, and further personal details like company, gender and birth date.

Marriott Bonvoy loyalty account information (excluding passwords and PINs), linked airline loyalty programs and corresponding account numbers, and such guest-indicated preferences as language and room selection were also potentially exposed.

Marriott has pointed out that it “currently has no reason to believe” that the incident involved the exposure of such sensitive particulars as, “payment card information, passport information, national IDs, or driver’s license numbers.”

Marriott is currently contacting all guests involved to notify them about the incident and suggesting steps they might take. The company has also set up a dedicated call center and website with information for affected guests about enrolling in a personal information monitoring service that Marriott is providing.

In response to questions about why the company waited a month before going public about the breach, Marriott said, “We are still investigating the incident. We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We have several policies and controls in place related to the relevant property application. Marriott remains committed to further strengthening its protections to detect and remediate incidents such as this in the future,” reported Travel Weekly.

This latest incident hearkens back to the 2018 cybersecurity breach of Marriott’s Starwood network reservations system, in which the personal information of around 383 million guests was ultimately found to have been stolen.

In that instance, such highly sensitive data as payment card details and passport numbers was leaked, in addition to guests’ names, mailing addresses, phone numbers and email addresses.

For more information, visit mysupport.marriott.com.