Marriott Hotels Admits Third Breach – Report

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Not again. Marriot Hotels has admitted it has suffered a third data breach, with customer credit cards and other data being swiped

Marriott International has reportedly exposed customer data once again, with the news that it has suffered a third data breach in four years.

Cyber criminals confirmed to DataBreaches that last month they had hacked into a server at the Marriott hotel at Baltimore-Washington International Airport in Maryland.

According to DataBreaches, the hacking group insisted they have no name, so they are being referred to as “GNN” for now (for Group with No Name).

Marriott VRoom Service

Third breach

According to GNN, they breached Marriott about a month ago and were able to exfiltrate 20GB of data including some credit card info and confidential information.

DataBreaches inspected a few files that suggested the files came from BWI Airport Marriott in Maryland (BWIA). When asked, GNN confirmed that it was BWIA Marriott’s server that they had hacked.

According to statements made to DataBreaches, GNN then emailed numerous employees at Marriot about the breach.

Marriott initially responded to them, but then stopped communicating:

“We are the ones who organised this leak and they were communicating with us,” GNN’s spokesperson informed DataBreaches, “We were acting like a RedHat organisation and they just stopped communicating with us.”

Then on 29 June, DataBreaches said it contacted Marriott’s CISO, Arno Van Der Walt, who responded promptly and asked if DataBreaches would be willing to talk to Marriott’s external counsel at BakerHostetler.

DataBreaches agreed, and spoke with their counsel that afternoon.

Marriott confirmation

Based on what GNN had already shared with DataBreaches, Marriott immediately confirmed that there had been an incident and that some data had been stolen.

But Marriott reportedly described the incident as being less significant than GNN had described it.

The GNN hackers meanwhile had declined to answer any of my questions as to how they had gained access, but Marriott informed DataBreaches that the breach occurred because social engineering successfully tricked one associate at a single Marriott hotel into giving the threat actor(s) access to that associate’s computer.

“We have no evidence that the threat actor had access beyond the files that were accessible to this one associate,” Marriott reportedly stated.

DataBreaches reported that GNN did not really dispute many of Marriott’s statements, saying that for the aspects they knew about, Marriott’s version was pretty close to what had happened.

It is unclear whether the GNN hackers demanded money from Marriott, but the hotel chain claimed it had identified and was investigating the incident before it was ever contacted by GNN.

Marriott also claimed the incident was contained in six hours.

Stolen Data

Marriott did however acknowledge that while most of the data acquired by GNN was what Marriott described as non-sensitive internal business files, they will be notifying approximately 300-400 individuals and any regulators, as required.

They did not provide a full description as to what kinds of personal information were involved for the individuals being notified.

However screenshots have reportedly showed customer credit card authorisation forms, including full card details.

Law enforcement has been notified, and Marriott stated that they are supporting that investigation.

“This is the third time, overall, that Marriott has been a victim of a data breach as a result of an employee falling for a carefully constructed social engineering attack, and handing over sensitive credentials,” noted Tim Sadler, CEO and co-founder of cloud security specialist Tessian.

“This is yet another example of why large organisations need to help their people detect advanced phishing attacks and help nudge them towards safer behaviours,” said Sadler. “The attacks are only getting harder to spot; all it takes is for one sophisticated email to bypass defences and one distracted employee to miss the signs, or be manipulated into thinking they’re communicating with a trusted connection, before it’s too late.”

“An intelligent approach to security is needed to thwart this growing threat if large businesses, such as Marriott, want to protect their people, their reputation and their bottom line,” Sadler concluded.

Other breaches

Unfortunately this is now the third breach for the hotel chain in recent years.

A “colossal” hack on Marriott International was first revealed to the world back in December 2018, and it affected the personal details and payment card data on up to 340 million people – dating right back to 2014.

The data breach happened when the systems of the Starwood hotels group were compromised in 2014.

Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.

In July 2019 Marriot was handed a £99 million fine by the UK data protection watchdog (the ICO), but this was eventually reduced to £18.4m in October 2020.

Unfortunately for the hotel chain, in April 2020 Marriott confirmed another data breach, that had compromised the personal data of roughly 5.2 million guests around the world.

In August 2020 the hotel chain faced a class action lawsuit in the UK High Court, brought by millions of former guests demanding compensation.