Marriott International reveals details of another data breach
Towards the end of 2018, Marriott International suffered a data breach of its Starwood Hotel reservation database. Now the hotel chain has revealed that it suffered a second data breach earlier this year.
The company says that at the end of February it noticed that an "unexpected amount of guest information" could have been accessed using the login credentials of two employees. It is thought that this access started in the middle of January, and up to 5.2 million customers have been affected.
- Microsoft releases out-of-band update to fix VPN bug
- Coronavirus has led to a 775 percent increase in usage of Microsoft Azure cloud services
- Now it's easier to see just what data Facebook and Instagram are collecting about you
The hotel chain has not said who it believes to be responsible. It is not clear whether the two employees whose credentials were used are involved, or if their accounts were compromised. Anyone who has been affected by the data breach should have been contacted via email today.
While it appears that enough personal data has been accessed for criminals to execute a phishing campaign, Marriott International says that payment information was not accessed.
In an incident notification posted on its website, Marriott International says: "Hotels operated and franchised under Marriott's brands use an application to help provide services to guests at hotels. At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests".
It goes on to explain:
Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver's license numbers.
At this point, we believe that the following information may have been involved, although not all of this information was present for every guest involved:
- Contact Details (e.g., name, mailing address, email address, and phone number)
- Loyalty Account Information (e.g., account number and points balance, but not passwords)
- Additional Personal Details (e.g., company, gender, and birthday day and month)
- Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
- Preferences (e.g., stay/room preferences and language preference)