In the latest string of data breaches striking the international hotel group, Marriott has confirmed that on 6 July 2022 an unnamed threat actor breached a computer server at a Marriott hotel in Maryland. The unnamed group was able to exfiltrate 20 gigabytes of sensitive data which they claim includes guests’ credit card information and other confidential information regarding guests and employees. Samples of this data provided to Databreaches.net, and published in redacted form, purportedly reveal reservation logs for airline crew members from January 2022 and other details of guests including credit card details used for bookings.
Marriott has since conducted an investigation into the incident claiming that the threat actors only had access to the hotel server for 6 hours and accessed data which “primarily contained non-sensitive internal business files regarding the operation of the property”. Marriott has issued a statement acknowledging that they are, “aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate's computer. The threat actor did not gain access to Marriott's core network.” Marriott also stated that the hotel chain had identified and was investigating the incident prior to a threat actor contacting the company in an extortion attempt, which was not paid. The hotel group is apparently preparing to contact 300 to 400 individuals in relation to the breach.
While this breach was contained to a single Marriott hotel, it is nonetheless an unfortunate and alarming development for the wider hotel group which is no stranger to data breaches having suffered a significant breach in 2014 which resulted in 339 million guest records being compromised worldwide, with the incident going undetected until November 2018. Marriott continues to face litigation in connection with this breach which has already resulted in a £18.4m fine being issued by the Information Commissioner’s Office in the UK.
In a separate incident that occurred in January 2020, Marriott’s system was attacked again and the data of approximately 5.2 million guests was compromised including their contact details, loyalty account information, personal details, partnerships, affiliations and preferences.
Notably, Advisen has published data which shows that half of all industry-related cyber losses can be attributed to attacks on hotel and motel servers with personal financial information being the target for cybercriminals in 74% of cyberattacks on hotels and motels. This is a concerning trend which should be monitored particularly in light of increased worldwide tourism and travel which could potentially expose further hotel businesses to cyber-attacks that ultimately leaves individuals’ personal data vulnerable.
We will continue to monitor all developments arising from this most recent breach suffered by Marriott Hotel Group and publish further updates should any formal investigations or fines be issued.