Marriott International Announces a Security Breach Affecting 5.2 Million Guest Records

• Marriott International suffered a data breach after hackers managed to access their internal systems.
• The sensitive details of more than five million hotel guests may have been stolen as a result.
• The compromised individuals are now offered with twelve months of protection services for free.

Marriott International, one of the world's largest hotel chains in charge of 30 brands and 7,000+ properties in 131 countries around the globe, has announced yet another data breach. According to the notification that is now circulated to the guests of the hotel chain, someone has managed to access the company's internal systems by using two employee credentials in February 2020. Upon investigating the suspicious activity, the forensics experts found that the cyber-attack has most likely started even earlier, probably around mid-January 2020. The compromised login credentials were disabled immediately, and Marriott notified the authorities accordingly.

The data that has been potentially accessed by the malicious actors concern 5.2 million guests and include the following types of information:

• Contact details (e.g, name, mailing address, email address, and phone number);
• Loyalty account information (e.g., account number and points balance, but not passwords);
• Additional personal details (e.g., company, gender, and birthday day and month);
• Partnerships and affiliations (e.g., linked airline loyalty programs and numbers);
• Preferences (e.g., stay/room preferences and language preference).

Marriott specifically states that they believe the information involved in this security incident does not include customer account passwords, PINs, payment card information, passport information, national IDs, and driver’s license numbers. Even from the above entries, not everything concerns everyone, so the hotel guests are advised to use the privacy portal that has been set up to help them figure out what information unauthorized actors have accessed that concerns them.

Marriott is now offering a full year of monitoring services by “IdentityWorks” free of charge, for those who have had their sensitive data accessed by hackers. Moreover, all Marriott Bonvoy passwords have been disabled, and users will be asked to reset those when trying to log-in to their account next time. To enroll for the data protection and monitoring services, follow the instructions on this web page, but make sure to complete your registration before June 30, 2020.

In November 2018, Marriott disclosed a massive data breach that exposed the personal details of more than 500 million customers. Back then, hackers managed to break into the hotel’s guest reservation database and maintained access for four years, from 2014 until 2018. Fines were imposed on Marriott for failing to protect its customer data, but there are way stricter laws that underpin client data exposures now, so a lot more hefty fines will soon be on their way.