Marriott International Hit By Second Data Breach

Hotel chain Marriott International has confirmed it has suffered a second data breach, that has compromised the personal data of roughly 5.2 million guests.

The data breach, first reported by Verdict, apparently began in mid-January 2020 and was discovered at the end of February 2020.

Compromised data includes names, addresses, date of birth, gender, email addresses and telephone numbers. Other exposed data includes employer name,, room stay preferences and loyalty account numbers.

Second breach

The hotal chain confirmed the “property system” breach to its customers in a statement.

“Marriott International announced that it is notifying some of its guests today of an incident involving a property system,” the chain said. “Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.”

“The company believes that this activity started in mid-January 2020,” it said. “Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.”

The hotel chain said that the investigation is ongoing, but it has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.

However it did confirm that contact details (name, mailing address, email address, and phone number); loyalty account information; additional personal details; partnerships and affiliations; and preferences were exposed. All of which is value data to criminals.

Marriott said it is emailing guests involved and has set up a dedicated website and call centre with additional information for guests.

The hotel said that it carries insurance (including cyber insurance) and is working with its insurers to assess coverage.

“The company does not currently believe that its total costs related to this incident will be significant,” it said.

First breach

But this is not the first time that Marriott International has suffered a data breach.

In July 2019 Marriot was handed a £99 million fine for another data breach, by the UK data protection watchdog.

The “colossal” hack on Marriott International was revealed back in December 2018. That hack was only discovered in November 2018, but it affected the personal details and payment card data on up to 340 million people dating back to 2014.

That data breach happened when the systems of the Starwood hotels group were compromised in 2014.

Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.

Another penalty?

The fact that the hotel chain has suffered a second major security incident in less than two years has drawn reaction from across the security and legal sector.

“This will be unwelcome news for Marriott, particularly coming so quickly after the Information Commissioner’s Office’s announcement, in July 2019, of its intention to fine Marriott the record-breaking sum of £99 million under GDPR for a previous security incident,” noted Charlie Wedin, a partner at international law firm Osborne Clarke.

“In light of this recent history, if this latest incident stems from weak security measures (whether technical or organisational), we can expect regulators and the public to be particularly unsympathetic,” said Wedin.

A security expert said that having a layered approach to security can help give firms more confidence in their defences after security breaches.

“News today that Marriott has been hit again by a security breach raises the question of what should be done after a company suffers an incident,” said Stuart Reed, VP cyber for Nominet. “In our research, we have found that two thirds of those hit by a breach in the past 12 months weren’t very confident that their organisation could defend against the same type of attack again. The recent Marriott security incident potentially indicates that this lack of confidence is warranted.”

“Having a layered approach to security is paramount to ensuring that future cyber incidents are avoided,” said Reed. “A crucial part of this is monitoring and blocking threats on the network, as well as identifying where large amounts of data being accessed. It is also important to highlight anomalous behaviour, such as employees logging on to the network at strange times or from unusual places, which could indicate a malicious intruder.”

Another expert warned that the hospitality sector, already under strain due to the Coronavirus pandemic, must ensure that cyber security remains a priority.

“This breach should serve as a wake-up call to all in the hospitality sector – and other industries being negatively impacted by the pandemic – that they are still targets,” said Marcus Fowler, director of strategic threat at Darktrace.

“Attackers won’t wait to attack until business has stabilised, or until security and IT teams have completed the transition to remote work,” said Fowler. “Instead adversaries will look to use this uncertainty and upheaval to their advantage – striking while businesses are struggling to adapt.”

“These organisations also still have information that is valuable to cyber actors,” he added. “Employees need to remain on high alert for targeted phishing campaigns and businesses need to find ways to support their security teams. Technology like AI that can streamline investigations and stop attacks before they can do damage can buy back valuable time for overwhelmed teams.”

Another expert pointed out that organisations should build up a detailed threat model to they can implement appropriate monitoring controls.

“In this case, the attack vector was via compromised employee credentials,” noted Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center). “Those credentials provided access to guest services within individual properties under the Marriott brand. Since employees often have access to sensitive customer data, creating appropriate alerts to detect credential misuse is particularly difficult.”

Meanwhile expert noted that this second breach occurred well before the world’s attention shifted to Coronavirus pandemic.

“This should be a stark reminder to every corporation that hackers don’t sleep under any circumstances,” said Sam Curry, chief security officer at Cybereason. “In the old days we used to say that ‘loose lips sink ships,’ but in this day and age ‘a loose click kills quick.’ Marriott’s initial disclosure of 5 million compromised accounts pales in sheer volume to their 2018 breach, but tell that to the more than 5 million customers.”

“Today, it is less about bayoneting the wounded and a lot more about how Marriott makes sure this never happens again?” said Curry. “Brands are suffering regularly and time will tell what happened with Marriott and people will need to be held accountable as needed. And with any breach the proprietary information about inner workings of an organisation and private communications can ultimately lead to lawsuits, terminations and other material actions.”

Speedy discovery

Another expert data that while this second breach is disappointed, there are some positives for Marriott’s security team.

“In the previous incident in 2018, Marriott detected signs of unauthorised activity going back four years,” said Andrew Hollister, LogRhythm Labs senior director. “In this new case, the activity appears to have begun in January 2020 and been detected during the course of February 2020. This is a significant improvement in time to detect and respond to a data breach. Whilst a significant number of records has been breached, the reduced time to detect has no doubt contributed to the number being substantially lower than on the previous occasion.”

Another expert agreed and said that Marriott should be commended on the speed at which they detected the breach.

“They were able to report on what information was taken and which customers were affected, and while there was certainly valuable data leaked, it sounds like this was relatively well-contained,” said Brian Vecci, field CTO at Varonis.

“A breach is never good news, but it’s a positive sign that they were able to keep tabs on their data and report the leak to authorities – transparency is critical when you’re dealing with data privacy,” said Vecci. “Most companies are lost when it comes to making sure the most valuable PII was protected, but in this case Marriott seems to have been able to identify exactly what was touched and they’re increasing their monitoring – which is important, as visibility is everything.”

But some warned of the wide ranging and extremely costly effects a data breach can have.

“While financial data wasn’t stolen the personal information the criminals did get is incredibly valuable and can be used for malicious means – for example, to use personal information to conduct convincing phishing attacks against guests,” said Ed Macnair, CEO of Censornet.

“While account takeover attacks can be devastating, there is a straightforward way to protect against them,” said Macnair. “The most effective method is to use two-factor or multi-factor authentication (MFA). MFA is a must have for admin or privileged account holders who can access sensitive data or escalate privileges.”

A final security expert agreed that credential compromise is a common root cause of data breaches, and poses a particular risk during the current climate.

“In the future, it is crucial that Marriott updates its data security to avoid being hit by a further breach,” said Matt Middleton-Leal, Netwrix’s general manager EMEA & APAC.

“All organisations must understand exactly what data they have, where it is stored and monitor the access to it,” said Middleton-Leal. “Now that everyone is working from home, cyber security teams need to pay attention to unusual spikes in data access, so they can discover a security incident early and prevent data from leaking. For Marriott and other businesses entrusted with sensitive data, it is crucial that advanced monitoring systems are in place going forward.”

Do you know all about security? Try our quiz!