The Marriott Hotel Group has revealed that it has suffered its third data breach in just over two years and has impacted the private data of up to 5.2m guests.
The hotel group that operates Marriott Hotel, Starwood Hotels released a statement that said uses an application to help provide services to its guests. However from the middle of January this year, the login details of two employees at a franchised property were used to access guest information on this app. They have not revealed which chain of hotels was responsible for the breach. Starwood Hotels runs eleven hotel brands including 1,297 properties comprising 370,000 hotel rooms in around 100 countries globally.
The breach was discovered before the beginning of March and access to the compromised accounts was promptly disabled and an official review into the breach was initiated.
In an official statement on the breach the hotel chain revealed that an “unexpected amount of guest information may have been accessed”. It went on to add that there is no indication that passwords, PINs, payment card information, passport information or national IDs were accessed as part of the breach.
Despite this there is the range of other information that was accessible during the breach includes contact details, loyalty account information, partnerships and affiliations, hotel preferences and other personal details.
In order to allow customers discover if they were impacted as part of the breach Marriott has created a self-service portal for guests to check whether or not their information was involved in this and what information may have been accessed. In addition to this the group has also established call centres to assist guests and is offering a year free subscription to a privacy monitoring servicE to any customers that may have been affected by the private data breach.
Passwords have already been disabled on impacted accounts and Marriott is advising that guests visit their account portal, create a new password and enable two-factor authentication. Guests should also keep a close eye on all of their account for anything that might be suspicious or unusual activity. If anything is noticed then it should be reported immediately.
The group could how face a range of different fines and penalties unders legislation including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Brendan McManus Global Corporate/Financial Communications and Executive Positioning for Marriott International released a statement in relation to the investigation which said “Our investigation is still open, and it is too early to comment.”
Previous Marriott Hotel Data Breaches
In November 2018 it was revealed that hackers had been accessing their Starwood guest reservation database for over four years. 383 million guests were affected by the data privacy breach.
The subsequent review showed that 383 million guest records had been accessible during the breach including:
- 18.5 million encrypted passport numbers
- 5.25 million unencrypted passport numbers
- 9.1 million encrypted payment card numbers
- 385,000 card numbers that were still
In the United Kingdom the Information Commissioners office fined the group £99m ($123m) in relation to the breach in 2019.
It was also revealed, in a letter to the California attorney general in October 2019, that hackers had obtained around 1,552 company employees’ names, addresses and Social Security numbers through a former vendor that handled official documents such as court orders and subpoenas.