Skip to main content
close search
site logo
Dive Brief

Marriott International's latest data breach hits 5.2M guests

Published March 31, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Marriott International, hotel
Retrieved from Marriott on December 03, 2018

Dive Brief:

  • Marriott International suffered a data breach impacting about 5.2 million guests a little over a year after disclosing a breach impacting 383 million guest records. 
  • The hotel chain found the intrusion at the end of February and believes it began mid-January, according to the announcement. The culprits leveraged login credentials through an application Marriott-owned franchises and hotels share for guest services. 
  • While the investigation is ongoing, the company doesn't believe the compromised information included Marriott Bonvoy account passwords, payment card information, passport information or driver's license numbers. However, impacted data likely includes guests' contact information, loyalty account data and personal travel preferences.

Dive Insight:

When Marriott disclosed its breach at the end of 2018, it highlighted risks found in mergers and acquisitions. The hotel chain unknowingly inherited a security flaw from Starwood Hotels and Resorts Worldwide in 2016. Starwood's server had been compromised since 2014.  

The company's data breach violated basic data privacy laws, but the intimate guest details hotels collect amplify security risks. Bad actors can create even more personalized cyberattacks on individuals, gaining insight into guests' travel patterns. 

The data breach resulted in a $124 million fine from the United Kingdom's Information Commissioner's Office under GDPR. The regulator justified the fine saying the hotel chain failed to perform due diligence with inspecting its acquired technology stack. At the time U.K. watchdog announced its intended fine, Marriott said it would "respond and vigorously defend its position." 

With the CCPA in effect, Marriott could face breach-related fines from the new incident. The CCPA has a clause stating victims of a breach could receive up to $750 each. 

Marriott had just onboarded a new chief information and digital officer, Jim Scholefield, in February. The hotel's former CIO is set to retire mid-2020. Scholefield was brought on to modernize Marriott's IT. 

The hotel company's second major data breach in less than two years could jeopardize guest loyalty and existing security measures. 

"While the disclosure provides useful information for the consumers affected, it offers little for information security practitioners to better understand how to avoid similar incidents in the future," said Tim Erlin, VP, product management and strategy at Tripwire, in an emailed statement to CIO Dive. 

In Marriott's latest data breach, intruders leveraged stolen credentials which are, along with backdoor techniques, among the most likely causes of data breaches. Improper credential use is difficult to track because it appears valid. "In these cases, organizations often have to look at what changes that attacker is making as they carry out their objective in order to detect the malicious activity," said Erlin.  

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
NeuBird Secures $22.5M in Funding, Announces General Availability of Hawkeye: An AI Teammate f…
From NeuBird
December 11, 2024
Smart City Expo USA 2025 Speakers Announced
From Smart City Expo USA
December 11, 2024
Celonis Appoints Benoit Fouilland as Chief Financial Officer to Drive Next Phase of Growth
From Celonis
December 05, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Editors' picks
Latest in Security
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.