Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Marriott Suffers Another Massive Data Breach

Employees' Credentials Used to Steal 5.2 Million Customers' Personal Details
Marriott Suffers Another Massive Data Breach
Photo: Marriott

Hotel giant Marriott in 2018 disclosed that it had suffered one of the worst data breaches in history. On Tuesday, Marriott warned that it has suffered a second big data breach, this time exposing information on 5.2 million customers.

See Also: Effective Communication Is Key to Successful Cybersecurity

This most recent data breach began around mid-January and continued until the end of February, and apparently did not expose payment card information, Marriott says in its data breach notification. But the breach did expose email addresses, mailing addresses, Bonvoy - aka loyalty - rewards numbers and other personally identifiable information.

"Although Marriott's investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs or driver's license numbers," Marriott says.

Marriott says it carries cyber insurance.

Mega-Breach, Take Two

The new breach alert follows Marriott in November 2018 announcing that its Starwood guest reservation database had been hacked, exposing approximately 339 million customer records. Exposed data included names, mailing addresses, phone numbers, email addresses, passport numbers and, in some cases, encrypted payment card information.

That breach eventually led Britain's Information Commissioner's Office, the country's privacy watchdog, to propose that Marriott be fined approximately $125 million under the EU's General Data Protection Regulation (see: Marriott Faces $125 Million GDPR Fine Over Mega-Breach). Marriott is appealing the fine, and experts say the legal uncertainty caused by Britain having now formally exited the EU may require the EU to launch a new investigation.

Marriott has over 7,300 hotel and guest properties in 134 countries and territories around the world. In addition to the Marriott name, its 30 brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. In 2019, the company had $20.9 billion in revenue.

Potentially Stolen: Employee Credentials

In the most recent data breach, Marriott is investigating whether the login credentials assigned to two employees who worked at one of the company's properties were used to access an application that helps provide services to customers, the company says in its notification.

It's not clear whether the two workers are under investigation for accessing the system or had their passwords and usernames stolen or phished.

A spokesman for Marriott could not be immediately reached for comment.

"The company believes that this activity started in mid-January 2020,” Marriott says in its breach notification. “Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations."

While details about this latest breach are currently scarce, there are two obvious ways that this security incident could have occurred, says Chris Pierson, CEO of cybersecurity firm BlackCloak.

"The first is that a legacy system is being accessed online without dual-factor authentication and without a proper gateway," Pierson tells Information Security Media Group. "The second is that this was a credential compromise as a result of an infected system, phishing or credential stuffing attack. The key here is to have log-in anomaly detection, dual-factor authentication on all system as well as data exfiltration analytics."

One cause for concern is that Marriott said attackers had potentially compromised stored passwords, which could imply the company was storing these passwords in plaintext, which would make them easier to steal or abuse, says Jake Williams, a former hacker with the National Security Agency's Tailored Access Operations unit and founder of Rendition Infosec.

"The fact that there's no clarification about the passwords and PINs being hashed would suggest that they were not," Williams tells ISMG. "I would normally wait for clarification on this from an organization, but given that they've already been through this recently, I would expect they reviewed this [breach notification] for technical accuracy before publication."

Extensive Personal Data Exposed

Customer personally identifiable information that appears to have been exposed over a two-month period includes:

  • Contact details, including name, mailing address, email address and phone number;
  • Loyalty account information, including account numbers and points balances but not passwords;
  • Personal details, including companies customers worked for, gender and birth day and month;
  • Partnerships and affiliations, including airline loyalty programs and numbers linked with Marriott accounts;
  • Hotel preferences, including room and language preferences.

Marriott says not all of these records were exposed for every customer affected by the breach. The company has created a dedicated website and call center for customers that may have been affected.

In the company’s earlier breach incident, Marriott said attackers accessed the customer reservation network for its Starwood properties starting in 2014, but the breach was not detected and disclosed until late in 2018. The breach notably persisted past September 2016, which is when Marriott International completed its acquisition of Starwood Hotels & Resorts Worldwide for $13 billion (see: Banks: Starwood Breach Not Isolated).

Latest Breach Detected Relatively Quickly

The biggest difference between the two breaches is that Marriott appears to have detected the latest intrusion much more quickly, Pierson says. "The landscape of a distributed company with franchises is difficult to manage. This is why cybersecurity needs to be deployed at every endpoint and entryway," he says.

Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting, says that it appears that Marriott over the last two years has improved its security monitoring capabilities. That's the likely reason why it discovered the January intrusion relatively quickly - by the end of February - thus preventing even more customer records from potentially being exposed.

"It is unclear whether the staff accounts used to compromise the data were somehow hijacked and used by malicious third parties, or if the accounts used were the result of an insider," Honan tells ISMG. "Regular monitoring for suspicious activity and restricting access to data are key controls to prevent such a breach from happening, and again it is good to see Marriott taking steps to enhance those controls."

Different Regulatory Landscape

Another notable difference between 2018, when the earlier Marriott breach was disclosed, and the new breach, is that the company may face additional legal scrutiny, beyond even GDPR in Europe. For example, if any of the breached records involves California residents, this breach might prove to be a test case for the California Consumer Privacy Act, says Richard Santalesa, a technology and data privacy attorney at SmartEdgeLaw Group, a boutique law firm with offices in New York and Connecticut.

"Despite the ongoing pandemic and California Attorney General's Office regulations still not being finalized, the AG's office has said that enforcement will not be delayed and will start July 1, 2020, and look retroactively back to Jan. 1, 2020, when CCPA kicked off," Santalesa says. "So, the Marriott breach could be a CCPA enforcement matter - potentially."

Executive Editor Mathew Schwartz contributed to this report.


About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.