Marriott Confirms Data Breach, Says Core Network UnaffectedHackers Claim to Have Stolen 20GB of Data That Marriott Says Is Nonsensitive
Marriott International uncovered yet another data breach, this time potentially affecting up to 400 individuals.
The hotel chain, which has a history of losing customer data to hackers, says the incident was paired with an extortion attempt, which it did not pay.
A company spokesperson tells Information Security Media Group the breach primarily consists of nonsensitive internal business files regarding the operation of its airport-adjacent hotel in Baltimore.
The incident was first reported by Databreaches.net, which says hackers shared documents that include records apparently of airline hotel reservations for flight crew that include the crew's names, job titles and hotel room numbers. Also apparently in the documents are the corporate credit card numbers used to make the reservations.
Hackers told the pseudonymous owner of the website, who goes by the handle "Dissent Doe," that they made off with 20 gigabytes of Marriott data. "Their security is very poor, there were no problems taking their data," Dissent Doe says the hackers said.
Marriott said through a spokesperson that it is informing 300 to 400 individuals of the breach, has notified law enforcement agencies and regulators and is supporting investigations into the incident.
The hotel chain attributes the access vector of the breach to a social engineering attack. The breach was limited to a short period of time and only affected a compromised associate's system; hackers did not obtain access to Marriott's core network, the spokesperson tells ISMG.
Marriott's Data Breach History
Hackers later fingered as working for the Chinese government were found in 2018 to have stolen over a period of four years approximately 340 million guest records.
Marriott paid a $24 million fine in 2020 without admitting liability to settle allegations that it had violated Europe's General Data Protection Regulation by failing to ensure adequate security of personal data (see: Marriott Hit With $24 Million GDPR Privacy Fine Over Breach).
In the United States, the hotel chain has since been almost continuously locked in litigation, with U.S. District Judge Paul. W. Grimm of the District of Maryland recently granting class certification to plaintiffs representing some tens of millions of guests. Accenture, which provided security services to Marriott, is a co-defendant.
Plaintiffs accuse Marriott of failing to undertake basic security measures, such as multifactor authentication, for controlling access to databases containing guest information.
Marriott and Accenture also allowed too many accounts to have access to the reservation database with too elevated a privilege level and failed to properly log the activities of those accounts, plaintiffs allege.
In 2020, Marriott reported another breach that compromised 5.2 million customer records. The threat actors had access to the system for just two months and did not expose payment card details. But the breach did expose email addresses, mailing addresses, loyalty rewards numbers and other personally identifiable information.
Marriott suspected hackers gained access via two compromised employee accounts. Grimm dismissed in March 2021 an attempted class action tied to the incident, telling plaintiffs they had failed to establish standing.