Marriott International suffers another major data breach

Read time 4min 30sec

The Marriott International hotel chain has suffered another major data breach following a previous breach disclosed in 2018.

The hotel giant said yesterday that contact details, loyalty account numbers and other personal information of an estimated 5.2 million customers  may have been exposed as cyber criminals got their hands on the login credentials of two employees at a franchise property.

In a statement, the company said it discovered that an unexpected amount of guest information may have been accessed using these credentials at the end of February.

“We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”

Marriott said its investigation is ongoing, and it currently has no reason to believe that  Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers were exposed.

Information that the hotel chain suspects has been compromised includes contact details such as name, mailing address, e-mail address and phone number; loyalty account information such as account number and points balance, but not passwords; additional personal details including company, gender, and birthday day and month; partnerships and affiliations such as linked airline loyalty programmes and numbers; and preferences, including stay/room preferences and language preference.

Yesterday, Marriott sent e-mails about the incident to all its guests involved, and has set up a self-service online portal for guests to be able to determine whether their information was involved in the incident and, if so, what categories of information were involved.

Tighter controls

"While unfortunate for Marriott that they have had to disclose a second event related to exposed customer information, there is something reasonably positive in this story compared to the mega-breach in 2018," says Rusty Carter, VP of product management at Arxan Technologies. "The inappropriate access of the data started in January, and was caught shortly thereafter. That said, depending on the details that come out about how the data was accessed by the franchisee, there are outstanding questions about the security of Marriott's API's and how hotels are allowed to access them.”

According to Carter, tighter controls need to be placed on access to personal data, and systems need to be designed to prevent any stealing of personal data. 

“In the same way that a store manager balances the register each day, companies in possession of customer's personal data should verify access to individual's information, and be able to quickly identify anomalies.”

The Marriot might also face another hefty fine. As a result of the 2018 breach, the UK Information Commissioner’s Office fined the company 99 million pounds under the European Union’s General Data Protection Regulation (GDPR).

Says Carter: “Furthermore, this event shows that legislative protections of personal information can, and should go farther. Consumers should know when their information has been accessed, and by design - systems must provide a way for consumers to see and be notified every time their information is accessed, by anyone or any system, for any purpose.”

Ignorance isn't bliss

Mark Sangster, VP and industry security strategist at eSentire, notes it again took Marriott over a month to notify affected consumers. 

Giving the hotel group the benefit of the doubt, he adds they likely contacted EU privacy agencies within the prescribed 72-hours of detection.

However, Sangster says privacy and data protection laws are inadequate when it comes to protecting consumers. 

“For 30 days, affected consumers were exposed to a cyber breach that had yet to manifest signs or symptoms. This shouldn’t be lost on people, sheltering in-home quarantine from a global disease that spreads through asymptomatic transmission. The same rules apply. As soon as you become aware of the risk, you can take precautions to minimise your exposure. When are we going to learn? Affected individuals need to be notified immediately once the cyber event is confirmed, so they can take their own actions, like changing passwords, putting holds on their credit cards, and monitoring their accounts for suspicious activity. It’s time to flatten the curve on the spread of cyber fraud.”

Sangster adds that just because the stolen data doesn't include credit card information, it doesn't mean it is not dangerous, and that no organisation should downplay an incident of this nature. In fact, the type of information stolen, in the wrong hands, could lead to highly tailored phishing scams that would be almost impossible to distinguish from the genuine article.

“This is a good example of fool me once, shame on you; fool me twice, shame on me,” ends Sangster. “This isn’t the first cyber blemish in Marriott’s logbook. Beyond the penalties, Marriott will likely find itself in a protracted legal battle with underwriters to receive insurance coverage again.”

See also