Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off 5.2m guests' personal info

How many customers' deets? It's not saying just yet

Got Tips? 27 Reg comments

Updated Marriott Hotels has suffered its second data spillage in as many years after an "unexpected amount" of guests' data was accessed through two compromised employee logins, the under-fire chain has confirmed.

The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January 2020 and was detected "at the end of February."

“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was at the epicenter of the intrusion.

“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.

Marriott did not explain why it took four weeks to begin alerting customers about the digital break-in.

Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.

The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.

Man opens hotel room with key card

Marriott: Good news. Hackers only took 383 million booking records ... and 5.3m unencrypted passport numbers

READ MORE

Bob Rudis of infosec biz Rapid7 commented: “The use of stolen, legitimate credentials is still one of the most popular attack vectors for our adversaries. It is also paramount that you continue to watch for anomalous behaviour of systems and accounts to reduce the time attackers have to accomplish their goals if they do manage to breach your defences.”

Guests are now being emailed from marriott@email-marriott.com, with the company publishing a self-help portal so you can, er, input your personal data to find out whether it was exposed or not. A link is available from the Marriott security breach notification page. For affected Brits, an 0800 number is provided so one can bellow enraged obscenities at some call centre drone obtain further information.

Free Experian identity monitoring is also being provided to those affected. The idea of this is to notify you if criminals are using your stolen details to clone your identity.

If you are involved, Marriott said in its statement it would force password resets and prompt users to enable multi-factor authentication.

Back in 2018 Marriott lost control of 383 million people’s personal data after China-based criminals broke into its Starwood brand’s guest database. Included in that hack were 8.6 million “encrypted” credit card numbers, though the hotel chain insisted that all but a mere 354,000 had expired by the time staff realised what had happened.

The data spillage will come as bad news for Marriott’s lawyers and beancounters, who thought they had been successful in kicking the UK ICO's £99m fine for the 2018 breach into the long grass. And lest we all forget, in 2014 the hotel chain was caught red-handed blocking guests’ own Wi-Fi hotspots in a vain attempt to force them to buy expensive hotel Wi-Fi access instead. ®

Updated to add

Marriott says information on "up to approximately 5.2 million guests" may have been stolen. That info included names, mailing addresses, email addresses, and phone numbers, loyalty account numbers and points balances, employer, gender, and birthday days and months, and linked airline loyalty programs and numbers.

Sponsored: Webcast: Ransomware has gone nuclear

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020