Marriott International, Inc. is an American multinational diversified hospitality company that manages and franchises a broad portfolio of hotels and related lodging facilities.
In 2018, the hotel giant disclosed one of the largest data breach in history, which compromised the information of 500 million guests who had made a reservation at its Starwood hotel fleets.
This time, the company reported that it again fell for another hacking campaign.
The data that has been stolen by the hackers wasn't as devastating as the 2018 hack, given that Marriott has managed to not put passport numbers inside the same database. What's more the number of affected guests isn't as many as before.
But still, it affected as many as 5.2 million people.
According to details provided by Marriott, the intrusion dates back to mid-January, when someone purposefully used the credentials of two franchise property employees to access an "unexpected amount of guest information."
Those data included contact details like names, email, home addresses, and phone numbers, as well as gender, birthday, frequent flier numbers, loyalty account information, and hotel preferences, like whether guests prefer to have a room near of far from the elevator.
When Marriott realized about this breach by the end of February, the hotel chain disabled the compromised employees' credentials, started an investigation, and sent out emails to affected guests.
While Marriott bears ultimate responsibility, it's worth noting that both of its hacks were arguably indirect attacks. The 2018 breach was specifically against the reservation database of Starwood, which Marriott acquired in 2016. And this 2020 hack began with a franchisee.
While the investigation is ongoing, the hotel chain stressed out that it had not reason to believe account passwords for Marriott’s Bonvoy rewards program or financial information such as credit card numbers, passport information or driver’s licenses were accessed, Marriott said in a notice of the breach.
But to prevent worse case scenario, Marriott said that it has reset all Bonvoy members who could have been affected.
What this means, the next time the members log in, they’ll need to change their password and will be prompted to enable multi-factor authentication.
The company took steps to help its guests with the situation, by also offering personal monitoring service free of charge for a year, although the service is not available for all countries. The authorities were notified as well.
While this 2020 Marriott hack wasn't as severe as its 2018 case, the information stolen by hackers could allow them to create individualized phishing schemes or threats. And not to mention that it took Marriott over a month to notify people that their information had been compromised, giving scammers and hackers a significant head start.
As for Marriott, having experienced two consecutive hacks in only 18 months, could have effect to its brand.