International hotel chain Marriott has announced that personal information of approximately 5.2 million guests were improperly accessed by third parties using the login credentials of two employees at a franchise property.
Marriott International has confirmed that around the end of February 2020, it identified an unexpected amount of guest information was accessed through an application that helps provide services to guests at hotels.
“We believe this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” said a Marriot spokesperson.
Marriott confirmed that the data breach has compromised sensitive information like names, date of births, addresses, telephone numbers, email addresses along with and loyalty account numbers, the names of guests’ employers and the room stay preference of approximately 5.2 million guests.
However, the hotel chain has also stated that there is no evidence of sensitive information such as passport information, national IDs, driver’s license and payment details being accessed by third parties.
The spokesperson said “the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”
Marriott has contacted its affected customers via email and deactivated the password of all Marriott Bonvoy members so that they can reset the same and secure their accounts. They have also set up a dedicated website (www.mysupport.marriott.com) and a toll-free number (that can be reached from the UK on 0800 345 7018) to help customers. Furthermore, they have also offered affected guests to enroll themselves in the Experian’s IdentityWorks data monitoring service for the next 12 months for free of cost.
Commenting on the send mega-breach suffered by Marriott in two years, Will LaSala, Senior Director of Global Solutions at OneSpan, told TEISS, “As a Marriott customer myself, it is very disheartening that they apparently did not learn from their first missteps.
“Security is easily overlooked and often misplaced trust leads to failures such as this. Large organisations can often find it difficult to implement a one-size-fits-all authentication and security plan, however, from my experience, a one-size-fits all approach never works and seems to leave the door open for hackers to break in. Instead, organisations should look to implement risk-based tools that adapt to the changes.
“Businesses this large, that are still having problems with their security need to bring outside help and implement the appropriate technology such as multi-factor authentication, behavioural analysis, biometrics, and even data from third-party tools as soon as possible, to ensure that the right level of security is applied at the right time.” He added.
The previous data breach compromised the personal information of 383 million Marriott guests
In July last year, Marriott was fined almost £100 million by the ICO for failing to prevent a massive data breach that started in 2014 and was not detected until 2018. The incident involved hackers gaining unauthorised access to the Starwood guest reservation database and copying all information stored in the database.
In January last year, Marriott International announced that the unauthorised access gained by unknown hackers compromised no more than 383 million data records that included 8.6 million unique payment card numbers (encrypted), 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.
According to the ICO, the cyber incident exposed approximately 339 million guest records globally, out of which around 30 million related to residents of 31 countries in the European Economic Area (EEA), and 7 million related to residents of the UK.
"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," said Information Commissioner Elizabeth Denham.
"Personal data has real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public," she added.