For the second time within two years, hotel giant Marriott has disclosed that it has suffered a data breach. The new incident has affected 5.2 million of its guests, compromising a range of their personal information, including names, email and mailing addresses, and the names of their employers. Considering that the previous breach affected over half a billion people and exposed a wide range of personal data, some might view the new breach as less damaging.
According to the hotel operator’s investigation, the new incident originated in a franchise hotel that operates under the Marriott brand. The login credentials of two employees at the hotel were used by an unknown party to access the guests' information. Once the breach was discovered, the credentials were disabled and an investigation was launched.
The probe revealed that the nefarious activity started in the middle of January 2020 and wasn’t discovered until late February, which left a period of around six weeks for the cybercriminals to harvest the data. It wasn't until now that the international hotel chain disclosed the breach and notified the affected customers.
“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers,” said Marriot in an official statement.
On the other hand, the exposed information consisted of contact details, including names, addresses, email addresses, phone numbers, loyalty account numbers and points balances, gender, partial birth dates and employer details, affiliated loyalty programs and stay preferences.
The company took steps to help its guests with the situation. It is offering a personal monitoring service free of charge for a year, although the service is not available for all countries. It also went to disable the current passwords to its benefit programs and its users will have to enable two-factor authentication once they change their passwords. The authorities were notified as well.
In an effort to ease fears of phishing attacks, Marriot also shared the official email address (marriott@email‑marriott.com) that will be used for contacting guests about the situation. Using this self-service site, you can go ahead and check to see if you were affected.
This is the second major data breach involving a hotel operator that has been disclosed this year. MGM Resorts announced a data breach in February that affected 10.6 million of its guests, including singer Justin Bieber and Twitter CEO Jack Dorsey.