Who says lighting doesn’t strike the same place twice? On March 31, hotel chain Marriott announced that they had suffered another data breach. The first breach was disclosed in November 2018, where the records of 339 million guest were exposed. Marriot was fined $123 Million USD in 2019 by the UK Information Commissioner’s Office for violations under GDPR. This time, it appears that 5.2 million guests were affected.
According to a notification on Marriott’s website, the chain noticed unusual activity occurring in an app that guests use to access services during their stay. An investigation revealed that the login credentials of two Marriott employees had been used to access "an unexpected amount" of guest information. Data that may have been accessed includes contact details, loyalty account information, personal details such as birth dates, and information concerning linked partnerships and affiliations like airline loyalty programs.
Marriott confirmed that "At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020." An investigation is still ongoing, but at this point, Marriott doesn’t believe that Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers were affected. Marriott says it has notified guests by email whose information may have been taken and launched a dedicated website containing resources for those affected. The company is also providing a personal information monitoring service, provided by IdentityWorks, to guests whose information may have been stolen.
While Marriott seems to be doing the right things in terms of disclosure and identity monitoring, The Computer Business Review (CBR) claims that Marriott is downplaying the seriousness of it. CBR quotes Marriott, “Marriott carries insurance, including cyber insurance, commensurate with its size and the nature of its operations, and the company is working with its insurers to assess coverage. The company does not currently believe that its total costs related to this incident will be significant.” Yikes! Even More troubling, is the fact that hotels keep a lot of personal data, yet don’t seem to have enough security measures in place. Casey Ellis, CTO and founder of security firm, Bugcrowd, told CBR, “This attack emphasizes the need for the hospitality industry to take security seriously. Hotels collect more private personal information than most enterprise organizations (birthdays, passport numbers, email and mailing addresses, and phone numbers). Cybercriminals know what types of organizations collect troves of sensitive data, and given the amount of valuable information at hand, hospitality organizations can no longer afford to ignore their vulnerabilities.”
If your organization needs help managing vulnerabilities, compliance and/or cyber security, Uzado is here to help. Learn about our managed services by clicking the link below.