Marriott discloses new data breach-5.2 Million

Binary


Marriott discloses new data breach impacting 5.2 million hotel guests

Hotel chain Marriott disclosed today a security breach that impacted more than 5.2 million hotel guests who used the company’s loyalty app.

According to a breach notification posted on its website, the hotel chain learned of the security breach at the end of February, when it discovered that a hacker had used the login credentials of two employees from one of its franchise properties to access customer information from the app’s backend systems.

Marriot says the hack dated back to mid-January but did not disclose additional details about how it happened.

The hotel chain said that the intruder(s) had direct access to Marriott Bonvoy loyalty data such as:

  • Contact details (e.g., name, mailing address, email address, and phone number) 
  • Loyalty Account Information (e.g., account number and points balance, but not passwords)
  • Additional Personal Details (e.g., company, gender, and birthday day and month) 
  • Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers) 
  • Preferences (e.g., stay/room preferences and language preference)

The hotel said that at this moment in the investigation, it did not believe that the hacker did not gain access to account passwords, account PINs, payment card information, passport information, national IDs, or driver’s license numbers.

Marriott launched a web portal where the app’s users can check if they’re one of the 5.2 million users impacted by the security breach, and what data the hacker might have accessed.

This is the second security breach the hotel chain has disclosed in the past 16 months. In November 2019, Marriott said that hackers gained access to the Starwood Hotels reservation system, from where they stole the personal details of more than 383 million hotel guests (revised from the initial figure of 500 million). See our post-mortem coverage, here. US authorities said they suspected Chinese hackers of being behind the breach, but only put out a statement, but no official charges.

Advertisements