[BreachExchange] Marriott discloses new data breach impacting 5.2 million hotel guests

Destry Winant destry at riskbasedsecurity.com
Wed Apr 1 10:33:53 EDT 2020


Hotel chain Marriott disclosed today a security breach that impacted
more than 5.2 million hotel guests who used the company's loyalty app.

According to a breach notification posted on its website, the hotel
chain learned of the security breach at the end of February, when it
discovered that a hacker had used the login credentials of two
employees from one of its franchise properties to access customer
information from the app's backend systems.

Marriot says the hack dated back to mid-January but did not disclose
additional details about how it happened.

The hotel chain said that the intruder(s) had direct access to
Marriott Bonvoy loyalty data such as:

Contact details (e.g., name, mailing address, email address, and phone number)
Loyalty Account Information (e.g., account number and points balance,
but not passwords)
Additional Personal Details (e.g., company, gender, and birthday day and month)
Partnerships and Affiliations (e.g., linked airline loyalty programs
and numbers)
Preferences (e.g., stay/room preferences and language preference)

The hotel said that at this moment in the investigation, it did not
believe that the hacker did not gain access to account passwords,
account PINs, payment card information, passport information, national
IDs, or driver's license numbers.

Marriott launched a web portal where the app's users can check if
they're one of the 5.2 million users impacted by the security breach,
and what data the hacker might have accessed.

This is the second security breach the hotel chain has disclosed in
the past 16 months. In November 2019, Marriott said that hackers
gained access to the Starwood Hotels reservation system, from where
they stole the personal details of more than 383 million hotel guests
(revised from the initial figure of 500 million). See our post-mortem
coverage, here. US authorities said they suspected Chinese hackers of
being behind the breach, but only put out a statement, but no official

More information about the BreachExchange mailing list