- Marriott International suffered a data breach impacting about 5.2 million guests a little over a year after disclosing a breach impacting 383 million guest records.
- The hotel chain found the intrusion at the end of February and believes it began mid-January, according to the announcement. The culprits leveraged login credentials through an application Marriott-owned franchises and hotels share for guest services.
- While the investigation is ongoing, the company doesn't believe the compromised information included Marriott Bonvoy account passwords, payment card information, passport information or driver's license numbers. However, impacted data likely includes guests' contact information, loyalty account data and personal travel preferences.
When Marriott disclosed its breach at the end of 2018, it highlighted risks found in mergers and acquisitions. The hotel chain unknowingly inherited a security flaw from Starwood Hotels and Resorts Worldwide in 2016. Starwood's server had been compromised since 2014.
The company's data breach violated basic data privacy laws, but the intimate guest details hotels collect amplify security risks. Bad actors can create even more personalized cyberattacks on individuals, gaining insight into guests' travel patterns.
The data breach resulted in a $124 million fine from the United Kingdom's Information Commissioner's Office under GDPR. The regulator justified the fine saying the hotel chain failed to perform due diligence with inspecting its acquired technology stack. At the time U.K. watchdog announced its intended fine, Marriott said it would "respond and vigorously defend its position."
With the CCPA in effect, Marriott could face breach-related fines from the new incident. The CCPA has a clause stating victims of a breach could receive up to $750 each.
Marriott had just onboarded a new chief information and digital officer, Jim Scholefield, in February. The hotel's former CIO is set to retire mid-2020. Scholefield was brought on to modernize Marriott's IT.
The hotel company's second major data breach in less than two years could jeopardize guest loyalty and existing security measures.
"While the disclosure provides useful information for the consumers affected, it offers little for information security practitioners to better understand how to avoid similar incidents in the future," said Tim Erlin, VP, product management and strategy at Tripwire, in an emailed statement to CIO Dive.
In Marriott's latest data breach, intruders leveraged stolen credentials which are, along with backdoor techniques, among the most likely causes of data breaches. Improper credential use is difficult to track because it appears valid. "In these cases, organizations often have to look at what changes that attacker is making as they carry out their objective in order to detect the malicious activity," said Erlin.