For the second time in less than two years, Marriott International is
reporting a major data breach, this one affecting up to 5.2 million guests.
According to the company, the attack was made using the
login credentials of two employees at a franchise property to access a property
system used by hotels operated and franchised under Marriott’s brands.
Marriott believes the activity started in mid-January and
continued until the company discovered the breach at the end of February.
The stolen data covers approximately 5.2 million guests and includes
contact details such as mailing address, email and phone number; loyalty
account information; personal details such as gender and birthday; linked
loyalty programs and numbers; and stay preferences. Not all information was
present for every guest involved.
Subscribe to our newsletter below
Marriott says that while its investigation is ongoing, it
does not believe that Bonvoy loyalty account logins, payment card information,
passport information or driver’s license numbers were accessed.
Ameet Naik, security evangelist at security solutions
provider PerimeterX, says that while travel brands may be busy dealing with the
impact of the COVID-19 coronavirus, they need to remain vigilant about cybersecurity.
“In the past month we have seen a significant increase in
the percentage of account takeover traffic (ATO) to travel and hospitality
sites, surging to as high as 80% of all login attempts. This shows that while
travelers are staying home, the hackers are still out and about,” Naik says.
“ATO attacks are a
major threat to any business. It is much simpler and lucrative to walk in
through the front door with valid stolen credentials than to look for holes in
an organization's cybersecurity defenses. With the vast volume of stolen
credentials out there, hackers launch credential stuffing attacks using
automated bots.
"Eventually they find a username and password that works that
will let them buy goods for resale, drain loyalty accounts of points or steal
personal information. The data stolen from this breach will invariably make it
to the dark web and further fuel this cycle of ATO attacks.”
In November 2018, Marriott
said it had uncovered a data breach impacting 500 million records in the Starwood
reservation system.
Marriott has sent an email to the guests impacted by this
breach and has set up a dedicated website with
additional information.