UPDATED 22:29 EDT / MARCH 31 2020

SECURITY

5.2M customer records stolen in latest hack targeting Marriott hotel group

Marriott International Inc. has suffered yet another data breach, this one involving the theft of personal information on 5.2 million guests.

The new data breach was discovered in late February after those behind the data breach gained access to data from mid-January. The data is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise.

Data stolen included customer names, addresses, email addresses, phone numbers, loyalty account information, birth dates, company affiliation and hotel preferences along with partnership and affiliation data such as linked airline loyalty programs and numbers.

Marriott did note that it has no reason to believe that the data stolen included Marriott Vonboy account passwords or PINs, payment card information, passport information, national ID numbers or driver’s license numbers.

In a fairly standard response, Marriott said that it had begun an investigation, implemented heightened monitoring and contacted relevant authorities. Affected customers are also being offered free access to a “personal information monitoring service.”

Marriott was last hacked via its Starwood subsidiary in 2014 and it was only discovered and reported in November 2018. That hack involved the theft of data relating to some 500 million customers and was later linked to Chinese state-sponsored hackers, a claim the Chinese government denied.

“While this breach is small compared to the previous breach it highlights the fact that, even during a global pandemic, criminals will not stop attacking us,” John Shier, senior security advisor at security firm Sophos Group plc, told SiliconANGLE. “This information can be used to lend credibility to phishing emails and increase their chance of success.”

Although customers are at risk of being targeted by phishing attacks, phishing may have also been used to obtain the stolen data, according to Chris Hazelton, director of security solutions at mobile security company Lookout Inc.

“While we don’t have all the details yet, it is highly likely that this breach started with a phishing attack which enabled a threat actor to steal the credentials of two employees at a Marriott franchise,” Hazelton said. “Acquiring these credentials gave the cybercriminals nearly unlimited access to Marriott customer records. Luckily this data did not include highly sensitive information, such as passwords or payment information. For this reason, the attack may have targeted a CRM system or other nonfinancial enterprise app.”

The motivation for the attack also raises questions. Casey Ellis, chief technology officer and founder of crowdsourced cybersecurity platform provider Bugcrowd Inc., believes that the motivation was espionage.

“Like the Office of Personnel Management, Anthem, Dulles and the 2018 Marriott breach, this breach is just another in a long string of attacks targeting U.S. officials,” Ellis said. “Think about it, officials from the U.S. National Security Agency, Central Intelligence Agency, Federal Bureau of Investigation and Department of Defense stay at Marriott hotels, including possibly diplomats, business people or intelligence officials as they travel around the globe. The FBI’s investigation into the 2018 Marriott Breach concluded that the attackers were working on behalf of the Chinese Ministry of State Security — alarm bells should be going off.”

The hospitality industry continues to demonstrate a greater need for stronger security measures, Ellis added. “Hotels collect more private personal information than most enterprise organizations,” he said. “Cybercriminals know what types of organizations collect troves of sensitive data and given the amount of valuable information at hand, hospitality organizations can no longer afford to ignore their vulnerabilities.”

Photo: Marriott

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU