Hospitality group Marriott International announced that it has been hit by a data breach that exposed the personal information of around 5.2 million guests. In an official release, the company stated that the breach began in mid-January 2020 and was discovered at the end of February 2020. The incident exposed contact details including names, addresses, birth dates, gender, email addresses, employer name, room stay preferences, and loyalty account numbers. However, Marriott clarified that passport information, payment details, and passwords were not exposed in the breach.
It’s believed that the exposed data has been accessed by an unknown third party using the login credentials of two employees at a group hotel, which is operated and franchised under Marriott’s brand. Marriott notified the incident to the relevant authorities for further investigation and informed those who were affected in the breach. Marriott also set up a website to help the impacted guests in the incident.
“Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” the company said in a statement. “Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”
Not the First Time
This is Marriott’s second breach incident after a massive data leak was announced in 2018, which saw around 500 million guests’ data exposed over the course of several years. Hackers extracted people’s personal data like passwords, loyalty program payment, reservation information, as well as encrypted credit card data of 100 million customers. The first breach originated in 2014 at Starwood, which was acquired by Marriott International in 2016, and was uncovered after four years in September 2018, when an internal security tool alerted the staff about the unauthorized data access. Consequently, the company faced a class-action suit, which led to a decline in its shares by 5.6%.
Big Blow for Marriott
In July 2019, the U.K.’s Information Commissioner’s Office (ICO) imposed £99.2 million (US$123.7 million) fine on Marriott International, for the data breach. The ICO stated that Marriott failed to protect its customers’ information, violating the EU’s GDPR regulations.
