Marriott's second data breach impacts 5.2 million guests

Eloise Hanson Eloise Hanson Uploaded 01 April 2020


Worldwide: Marriott has reported an “unexpected amount” of guest information has potentially been accessed using the login credentials of two employees at one of its franchise properties.

Marriott International announced yesterday that the breach was first identified at the end of February 2020, and believe that the activity started in mid-January 2020.

The following guest information has been accessed, although not all of it was present for every guest involved:

  • Contact Details (e.g. name, mailing address, email address, and phone number)
  • Loyalty Account Information (e.g. account number and points balance, but not passwords)
  • Additional Personal Details (e.g. company, gender, and birthday day and month)
  • Partnerships and Affiliations (e.g. linked airline loyalty programs and numbers)
  • Preferences (e.g. stay/room preferences and language preference)

Marriott said in a statement: “Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

Rosemary O’Neill, director of customer delivery for NuData Security, a Mastercard company, said: “It is unfortunate that Marriott was hit again. In a time when travel companies are seeing their traffic go down, bad actors can still use the stolen information against other companies where those same customers transact. This news needs to remind merchants and other companies transacting online that their systems are never entirely safe from breaches, brute force attacks, account takeovers, and phishing attacks. These can happen at any time, and companies need to have their post-breach process ready. 

“This plan includes the implementation of a stronger verification framework so they can still correctly authenticate their good users despite the use of potentially stolen credentials. This sort of data exposure is why so many organisations – from the hospitality sector through to eCommerce companies, financial institutions, and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics. These technologies identify customers by their online behaviour, thus mitigating post-breach damage as hackers are not able to impersonate individual behaviour.”

This is the second data breach Marriott has suffered in less than 18 months.

In November 2018, a hacker had obtained “some combination” of name, address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information of more than 300 million guests. 

Marriott was issued a fine of $123 million in the wake of the breach.


Be in the know.

Subscribe to our newsletter »

Thank you sponsors