Marriott Hotel announced Tuesday, March 31, 2020, yet another data breach. The latest leak reportedly affects 5.2 million people after the hackers gained access to a database.
Based on its statement, the popular hotel chain became aware of the incident sometime around February 2020. However, its internal investigations found out that their database had been accessed since mid-January of this year. Credentials of two hotel employees were used to access the system.
Some of the information compromised in the incident include the names of guests and personally identifiable details. These include names, contact numbers, email addresses, and addresses. Moreover, the individual’s gender, date of birth, and company information have also been mined.
Loyalty Account information, including the account number and points within, have also been compromised, according to the data released by the hotel giant. As such, guest and customer preferences, such as their preferred rooms and amenities, as well as languages, were also obtained.
In addition, partnerships and affiliations of guests and customers may have been involved, including their airline loyalty programs and numbers.
While the aforementioned information may have been compromised, Marriott Hotel maintains that they “have no reason to believe” that payment information was stolen. The company’s statement suggests that passwords, credit card information, and IDs remain safe.
Although the company was quick to inform the public via its statement, USA Today states the firm has yet to issue a statement on the involvement of the two employees. Marriott also failed to disclose if the two employees were suspected.
Following the incident, the hotel chain immediately notified its guests and customers via email on March 31, 2020. Prior to that, the company has begun investigations on the matter, as well as enacted enhanced security measures and improved monitoring.
In line with this incident, Marriott Hotel is currently urging its customers to change their passwords as the team disabled users’ Marriott Bonvoy account. On top of this, guests are also enjoined to enable multi-factor authentication to prevent fraudulent access to the said account.
Chief executive officer Kelly White of RiskRecon, a security assessment company, said that the “breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring.”
In a statement to ThreatPost, White said both of these actions “would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise.”
This incident is the hotel chain’s second data breach in less than two years. In November of 2018, the hotel chain announced a breach of its Starwood guest reservations database. Approximately 383 million records were involved, reports ThreatPost.