Hospitality giant Marriott International revealed it suffered a data breach affecting 5.2 million of its former guests on Tuesday. The company stated hackers didn’t access customer payment or ID card information, but admitted they captured other personal details.
Marriott’s Latest Data Breach
In a disclosure statement, Marriott explained it discovered rogue operators had compromised its network in late February. The firm said it detected an “unexpected amount” of guest information had been accessed at one franchise property using the login credentials of two employees. The hotelier declined to name the affected facility but stated the unauthorized activity began in mid-January.
After disabling the subverted logins, the company alerted the appropriate authorities and began an internal investigation, which is still ongoing. The firm’s inquiry found that 5.2 million guests had their personally identifiable information (PII) accessed. During the breach, hackers captured Marriott customers’ names, addresses, phone numbers, email addresses, birthdates, employers, genders, travel loyalty program data, and visit preferences.
The hospitality brand also said hackers breached its Marriott Bonvoy loyalty club database but only gathered membership details.
At this point, the company does not believe the cyber thieves stole any guest payment data. However, the firm set up a website that allows its customers to determine if the breach involved their PII.
Marriott’s 2018 Data Breach
Notably, Marriott endured a much more extensive system compromise in November 2018.
The hospitality company initially claimed cybercriminals breached its networks and accessed the PII of 500 million people. In addition to being much bigger than its 2020 breach, the firm’s older hacking incident involved rogue operators obtaining customer passport and credit card data. Later, the corporation revised the scale of its system infiltration down to 383 million affected consumers with 5 million payment cards and ID numbers exposed.
Hackers gained access to Marriott’s data stores by infiltrating the network of its Starwood Hotels subsidiary from 2014 to 2018.
The hospitality firm faced intense blowback for that breach, including two class-action lawsuits seeking $12.5 billion in damages. In July 2019, Britain’s Information Commissioner’s Office levied a $123.69 million fine against the corporation for violating the European Union’s General Data Protection Regulation. The agency found the corporation liable for not performing due diligence when it purchased Starwood in 2016.
Furthermore, the city of Chicago won approval to sue the hospitality company for violating its local consumer protection ordinances last December.
Notably, investigators found Marriott’s 2018 data breach had been carried out by China’s Ministry of State security. The Sino spy agency reportedly tasked hackers with gathering intelligence on American business executives and government officials with security clearances. The White House later cited the Asian superpower’s act of cyber espionage as a motivator for launching what became a three-year trade war.
As of this writing, law enforcement officials haven’t identified any suspects in connection with the hospitality corporation’s 2020 cybersecurity compromise. Regardless, Marriott will likely pay a heavy price for suffering a second major data breach 15 months after its last one.