Marriott has been breached again – this time exposing 5.2M customers

Marriott's is once again a victim of a major data breach, exposing the data of millions of guests.
1 April 2020

This is the second major data breach Marriott has experienced. Source: AFP

Global hotel chain Marriott made headlines for the wrong reasons in 2018, when an attack on its Starwood Hotels brand left the details of some 500 million guests compromised.

What could be worse than that? Well, on Tuesday, hospitality giant reported another data breach, affecting 5.2 million guests worldwide.

The hotel chain said guests’ names, loyalty account information and other personal details may have been accessed.

Other information such as birthdays, phone numbers, addresses, and loyalty account information linked to other companies such as airlines, may have been taken as well.

However, the hotel chain does not believe any of the guests’ data on credit cards, passports or driver’s licenses have been compromised, as stated in its press release. That makes it somewhat better than 2018, where payment details were compromised (although Marriott claimed many were outdated).

Upon investigation, Marriott first noticed suspicious activities from a franchised property, and traced it back to login credentials of two employees which accessed an unexpected amount of guest data. Since then, the logins were disabled and the company speculated the unusual activity began in mid-January this year.

Besides the repetitional damage, Marriott has felt the full sting of data breaches. In 2019, following the first high-profile breach, the company was slammed with a US$123 million fine from the Information Commissioner’s Office (ICO).

An equally shocking revelation was the data breach has been going on for four years before it was discovered. An investigation concluded that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

It is uncertain how the multinational company will move on from this after a hefty fine issued from European authorities last year and this week’s data breach. At present, the hotel is taking measurements such as notifying victims through emails, setting up a dedicated website and call centers to provide guests with additional information.

The incident once again reveals a key cybersecurity weakness in the hotel industry – that of franchises, and the lack of control it has over systematic cybersecurity policies across all these separate nodes of operation.

Commenting on the incident, Tim Mackey of Synopsys CyRC (Cybersecurity Research Center), remarked on the consequences when businesses fail to uptake robust cybersecurity measures.

“This data breach at Marriott International highlights the importance of performing a detailed threat model on business operations and then implementing appropriate monitoring controls to ensure that threat vectors can be quickly identified,” the principal security strategist told TechHQ.

Analyzing the case, Mackey noted the complexity in creating appropriate alerts to detect credential misuses, in this case, the compromised of verifiable login credentials of employees.

However, deploying a system to pick up on unusual activities, factoring in aspects such as time of the day, amount of data accessed, the volume of data and others. “Implementing such controls requires organizations to look not only at the application security and how it’s deployed but the intended usage patterns incorporating human factors data.”