Marriott Discloses Second Security Breach, Affecting Millions
Disclosing its second major security breach in the past two
years, the international hotel chain Marriott announced on Tuesday that a
hacker had accessed data affecting up to 5.2 million guests who used Marriott
Bonvoy, the company’s loyalty app.
Marriott said the hack first began in mid-February but
company officials did not become aware until the end of February. A breach
notification published on Marriott’s website details how a hacker used login
credentials of two employees at a Marriott property to access customer information
from the Bonvoy database.
“Upon discovery, we confirmed that the login credentials
were disabled, immediately began an investigation, implemented heightened
monitoring, and arranged resources to inform and assist guests,” the breach
notification reads.
While the company investigation remains ongoing, Marriott
has not found evidence that the hacker accessed account passwords, payment card
information, passport information, national ID numbers or driver’s license
numbers. The exposed information did include the following:
Contact details (e.g., name, mailing address, email address,
and phone number)
Loyalty account information (e.g., account number and points
balance, but not passwords)
Additional personal details (e.g., company, gender, and
birthday day and month)
Partnerships and affiliations (e.g., linked airline loyalty
programs and numbers)
Preferences (e.g., stay/room preferences and language
preference)
Not all of this information was entered for each guest, the
company said. Guests involved in the breach were notified by Marriott on
Tuesday, and the chain has also set up a self-service online portal for guests
to identify if their information was involved in the breach. Affected
individuals can also see what categories of information were part of the
breach.
Paul Bischoff, a privacy advocate with the tech research and
consumer website Comparitech, said that the biggest threat facing Marriott
customers in the recent breach is “targeted phishing.”
“Guests should be on the lookout for targeted messages from
scammers posing as Marriott or a related company,” Bischoff said. “Don't click
on links or attachments in unsolicited emails. Check email addresses and don't
just trust display names. If you're uncertain as to whether a message is
legitimate or not, ask Marriott using contact information found through
Google.”
Back in November 2018, Marriott also disclosed that hackers
had accessed personal details of an estimated 500 million guests worldwide
through the Starwood Hotels reservation system it had acquired. While the
company has since lowered the total to 383 million, Marriott has faced
penalties in the U.K. for lax cybersecurity practices. Chinese hackers are
suspected in that case.
Andrew Hollister, the director of LogRhythm Labs, noted that
there are some positives to draw from Marriott’s disclosure on Tuesday,
particularly in the company’s response time to the breach.
“In the previous incident in 2018, Marriott detected signs
of unauthorized activity going back four years,” Hollister said. “In this new
case, the activity appears to have begun in January 2020 and been detected
during the course of February 2020. This is a significant improvement in time
to detect and respond to a data breach.”
He added: “This latest data breach just goes to show that
continuing vigilance is required to keep reducing the time to detect and
respond to threats, and that real reductions in impact can be made with focus
on this issue which affects every company on the globe which holds personal
information.”
Comments
Post a Comment