After an unidentified threat actor broke into one of its locations and took 20GB of files, hotel industry behemoth Marriott International said it had experienced another data breach. Only the BWI Airport Marriott was breached by the attackers, and they could only access its network for a short period.
“This incident only involved one property. The threat actor did not gain access to Marriott’s core network. The access to one device at the property involved only lasted for approximately six hours,” said a Marriott spokesperson. “The threat actor used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer. The threat actor did not impersonate any Marriott vendor.”
The company did not provide any information on the stolen data. However, it did confirm to DataBreaches (who broke the story) that the 20GB worth of papers taken during the hack included some credit card information and non-sensitive internal business files. Marriott has not yet said if the threat actor stole information from the hotel’s visitors, staff, or both.
Additionally, the attackers tried to blackmail Marriot by threatening to post the stolen materials online. However, the hotel chain insisted that it had neither paid nor given anything to the threat actor. Marriott said it alerted the FBI and engaged a private security company to investigate the event. The hotel behemoth continued by saying it would warn the 300–400 people affected by the data breach and the pertinent data regulators.
After revealing the personal information of 5.2 million hotel guests (including contact and personal details) in a data breach it announced in 2020, this is the third data leak Marriott has confirmed since 2018. A hack of the company’s Starwood Hotels guest reservation database, which contained data on hundreds of millions of customers, was also disclosed in November 2018.
According to Marriott, which uncovered the problem two years after Starwood’s takeover, the information taken in the attack included guests’ names, personal information, addresses, unencrypted passport numbers, and AES-128-encrypted payment information. The personal information of some 339 million visitor records worldwide was compromised as early as 2014. Marriott International was fined £14.4 million (about $24 million) by the UK Information Commissioner’s Office (ICO) for violating the General Data Protection Regulation (GDPR).
