It’s been a bad month for hotel chain Marriott International. Last week, it furloughed tens of thousands of workers as travel plummeted in the wake of the covid-19 pandemic, and its stock price has plummeted over 50 percent from the start of the year. On Tuesday, it also disclosed that it was hacked, again, with the records of up to 5.2 million guests exposed.
That’s the third successful cyber attack against Marriott in the last 18 months, according to the Wall Street Journal. This one is much smaller than the 2018 breach which exposed over 500 million customer records and exposed the hotel chain to massive legal liability and a $124 million GDPR fine, and it appears to involve less sensitive data. But it is much larger than breach disclosed in October 2019 of 1,552 employees’ names, addresses, and Social Security numbers.
The attackers may have stolen up to 5.2 million records of participants in its Marriott Bonvoy loyalty program, Marriott said in a press release, with the exposed information including contact and address details, loyalty program data, and personal information like employer, gender, and birthday. The chain believes the attack began in January 2020, though it didn’t notice it until the end of February.
The hotel chain wrote in the release there was no evidence that the attackers were able to access any payment information, like credit card numbers and PINs. It said the same of customer passwords, passports, and IDs. However, breaches such as this can help cybercriminals pull off more sophisticated phishing scams that aim to trick exposed users into handing over banking credentials.
Marriott spokesman Brendan McManus told the Journal that whoever was behind the attack used login credentials for two employees of a franchised hotel in Russia. He declined to comment on whether those staffers are suspect, telling the paper “Our investigation is ongoing, and it is too premature to comment on that.”
“Most breaches could simply be prevented with multifactor authentication,” David Kennedy, CEO of cybersecurity firm TrustedSec, told Wired. “For any type of elevated access, organizations should be leveraging enhanced security controls. Multifactor authentication should be applied for everyone. And for elevated accounts that have high levels of access, the scrutiny on security should be even more extensive.”
Rusty Carter, president of security firm Arxan Technologies, told Wired that “There are outstanding questions about the security of Marriott’s APIs and how hotels are allowed to access them.”
Marriott said it has emailed users involved in the breach from the marriott@email-marriott.com address, will prompt them to set up two-factor authentication on loyalty accounts, and will additionally extend one year of identity monitoring services to those affected. According to the Journal, the UK Information Commissioner’s office—which issued the $124 million fine over the last breach—said it was in contact with the company.
“But when you get into multiple breaches, then you’re automatically going to be dealing with intense scrutiny from the regulators,” former Florida consumer protection official and Gardner Brewer Martinez-Monfort PA parter Richard Lawson told the Journal. “The idea being, of course, that this company was on notice, this company had this issue before, and had a visit from us before. And here we are again.”