For the second time in two years, the Marriott hotel empire has suffered a major data breach. This time, approximately 5.2 million guests have been affected.
The attack was carried out via third-party software that Marriott’s hotel properties use to provide guest services, according to an online notice that Marriott posted on Tuesday. The cybercriminals were able to obtain the login credentials for this system used by two employees at a franchise property; from there, they were able to access a raft of guest information.
The stolen bounty includes everything cybercrooks would need to mount convincing spear-phishing campaigns: Full contact details (names, mailing addresses, email addresses and phone numbers); other personal data like company, gender and birthdays; Marriott’s “Bonvoy” loyalty program account numbers and points balances (but not passwords or PINs); linked airline loyalty programs and numbers; and Marriott preferences such as stay/room preferences and language preferences.
Marriott said that the unauthorized access likely started in mid-January and continued for about a month and a half. Upon the hack’s discovery at the end of February, the hotel chain disabled the compromised logins and started an investigation. It began notifying affected guests this week.
No payment card information, passport information, national IDs or driver’s license numbers were caught up in the breach, according to the notice.
The hotel giant also is forcing password resets for Bonvoy loyalty club members, who will also be prompted to enable multi-factor authentication on their accounts.
“This breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring,” said Kelly White, CEO, RiskRecon, via email. “Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior.”
It’s the second breach that Marriott has faced in recent memory. The hospitality giant confirmed in November 2018 that there had been unauthorized access to its Starwood guest reservations database from 2014 up to September 2018. In total, around 383 million records – not guests – were involved in the incident, with multiple records associated to the same individual in many cases. Breaking the information down further, 5.25 million unencrypted passport numbers were included in the breach, along with 20.3 million encrypted passport numbers.
In 2019, the Information Commissioner’s Office (ICO), which is the U.K.’s privacy watchdog, hit Marriott with a $123 million (£99 million) penalty under the auspices of the EU’s General Data Protection Regulation (GDPR).
The latest breach lacks the scope of that prior incident, and impacts less sensitive information, but many have taken to Twitter to complain:
It's time for the annual @Marriott data breach! At some point I thought the @ICOnews was going to fine these clowns & make them stop leaking data everywhere. https://t.co/joXZU4PToT
— 2020 Ian Thornton-Trump, CD V 3.0 (@phat_hobbit) March 31, 2020
Big-name data breaches have not been scarce this year, starting with a January breach at Landry’s, which owns over 600 popular American restaurants across 35 states, such as Del Frisco’s Grill, McCormick & Schmick’s, Rainforest Café and more.
Since then, MGM Grand Resorts reported in February that personal information for 10.6 million hotel guests was posted on a hacking forum, including names, home addresses, phone numbers, emails and dates of birth. And in March, Carnival Cruise Lines, J. Crew and T-Mobile USA all reported cyberattacks within days of each other that resulted in data breaches.
Also in March, pharmacy chain Walgreens warned that a bug in its official mobile app may have exposed sensitive data, including customers’ full names and information on prescriptions for medications they are taking.
And just last week, General Electric reported that personally identifiable information (PII) for its employees had been exposed – think marriage, divorce and death certificates, beneficiary info, passports and more – thanks to the compromise of one of its partners, Canon Business Process Services.
Cloud misconfigurations have continued to ramp up too: Microsoft left a customer support database holding over 280 million Microsoft customer records unprotected on the web in January; and Estee Lauder exposed 440 million customer records via a cloud misconfiguration, in February.Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.