In a detailed statement, Marriott said it had noticed at the end of February that two employee credentials for an application it uses to provide services to guests at its hotels had been used to access an "unexpected" amount of information. The credentials were for two individuals at a franchise property.
The activity is believed to have begun in mid-January. The login credentials were subsequently disabled. Marriott said it "immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests".
In 2018, Marriott's line of Starwood hotels experienced a data breach, with the information about of about 500 million guests said to have been stolen. Australia was badly affected, with details of more than 10 million guests believed to have been pilfered.
"...we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s licence numbers," the statement said. Marriott Bonvoy is a loyalty program which customers can join.
Call centres have been set up for customers in various countries to obtain more information and the numbers can be viewed here. In Australia, one needs to contact 1800280257.
The following information is believed to have been accessed:
- Contact details (e.g., name, mailing address, email address, and phone number)
- Loyalty account information (e.g., account number and points balance, but not passwords)
- Additional personal details (e.g., company, gender, and birthday day and month)
- Partnerships and affiliations (e.g., linked airline loyalty programs and numbers)
- Preferences (e.g., stay/room preferences and language preference)
Marriott said it was offering those affected the option of free enrolment in a personal information monitoring service known as IdentityWorks, for a year.
It said the passwords of Marriott Bonvoy members believed to have had their information accessed had been disabled.
"When you log in to your Marriott Bonvoy account at Marriott.com, you will be prompted to change your password," the statement said. "You will also be prompted to enable multi-factor authentication to further protect access to your account. We have notified relevant authorities and are supporting their investigations."
Commenting on the incident, Andrew Hollister, senior director of security intelligence company LogRhythm, said: “A global company like Marriott, which holds a massive amount of personal information about its guests, will always be an attractive target for bad actors.
"While this is the second data breach Marriott has reported in the last two years, there are some positives to draw from the statement released on 31 March.
"In the previous incident in 2018, Marriott detected signs of unauthorised activity going back four years. In this new case, the activity appears to have begun in January 2020 and been detected in February 2020.
"This is a significant improvement in time to detect and respond to a data breach. While a significant number of records has been breached, the reduced time to detect has no doubt contributed to the number being substantially lower than on the previous occasion."
Hollister said that the latest data breach just showed that continuing vigilance was required to keep reducing the time to detect and respond to threats.
It also underlined the fact that "real reductions in impact can be made with focus on this issue that affects every company on the globe which holds personal information".
Chris Morales, head of Security Analytics at AI-based network detection and response firm Vectra AI, said: "Our research shows that privileged access from unknown hosts occurs inside every industry, leading to unintended exposure of critical systems. Yet these privileged accounts rarely receive direct oversight or technical control of how they are used, even when privileged access management tools are in place.
"It is this lack of oversight or understanding of how privileged accounts are being used that creates the operational and financial risk for organisations. If used improperly, privileged accounts have the power to cause much damage, including data theft, espionage, sabotage, or ransom."