Marriott International Inc. has suffered yet another data breach, the second time the hotel chain has had data stolen this year.

First reported today by DataBreaches.net, an unnamed hacking group claimed to have stolen roughly 20 gigabytes of data. The data, including credit card information and personally identifiable information on guests and workers, was stolen from an employee at the BWI Airport Marriott in Baltimore.

Marriott has confirmed the data breach, saying that although some data had been infiltrated, the incident was less significant than the hackers had described it, with only nonsensitive internal business files stolen. The attack vector involved the hackers tricking a Marriott associate into giving access to the associate’s computer through social engineering.

The hacking group also demanded a ransom payment from Marriott not to release the stolen data, but the ransom was not paid. The amount demanded by the hackers was not disclosed but was described by them as being high.

Marriott claims it had identified the incident before being contacted by the hackers and contained it within six hours. The hotel chain is informing about 300 to 400 individuals who may have been affected and has also informed regulators and law enforcement.

They say lightning never strikes the same place twice, but regarding data breaches, Marriott has now achieved a rare hat trick.

Marriott was hacked via its Starwood subsidiary in 2014 but the hack was discovered and reported only in November 2018. That hack involved the theft of data relating to some 500 million customers and was later linked to Chinese state-sponsored hackers, a claim the Chinese government denied.

Forward to March and Marriott was founded to have suffered yet another data breach believed to have involved data theft from mid-January. The data stolen in this case included the personal information of some 5.2 million guests and is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise.

“Threat actors continue to use proven social engineering techniques to gain access to systems and it appears that a major international hotel chain is the latest victim in this technique,” Tom Garrubba, director of third-party risk management at security solutions provider Echelon LP, told SiliconANGLE. “As an organization’s security team continues to educate end-users on ways to identify phishing and other cyber threats, this latest report emphasizes the continued danger of social-engineering exploitations particularly as employees have begun a mass return to the office.”

Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4 Inc., said organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training. “Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct,” he added.

Photo: Marriott