For the second time in two years, Marriott International has disclosed that it suffered a massive data breach. The most recent breach of consumer data, which was disclosed on Tuesday, affects roughly 5.2 million guests.
Information compromised in the breach included names, contact details, and addresses. The hotel chain said the data may have been accessed starting in January via the login information of two employees.
“At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” the company said in a statement. “We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
Marriott said its investigation into the matter is ongoing. However, company officials said they have “no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”
Affected customers received an email on Tuesday informing them of the discovery. Marriott has also set up a website where guests can submit a request to see if their information was involved in the breach.
Second incident in two years
In 2018, Marriott announced that it suffered a data breach involving the names, addresses, contact information, and passport numbers of over 300 million guests who checked into one of its Starwood hotel locations. The company said at the time that an investigation revealed that unknown parties gained access to the database at some point during 2014.
Following the most recent breach, Marriott outlined a number of steps that impacted guests can take to protect their information. The company said affected Marriott Bonvoy members will have their accounts automatically disabled and will need to change their password the next time they log in.
For all guests who think they may have been affected, Marriott recommends signing up for credit monitoring, changing your password, enabling two-factor authentication, and keeping a lookout for potential fraud emails.
Room for improved cybersecurity practices
The latest breach calls into question improvements made in security in the wake of the breach that occurred in 2017, said Tyler Moffitt, a senior threat research analyst at Webroot.
“While this breach is not as widespread as the previous incident, it is still worrisome, with names, phone numbers, emails and other sensitive information released,” Moffitt told ConsumerAffairs.
“This second offense is apparently the result of two employees' credentials improperly accessing guest information, which further amplifies the need for companies to be aware of malicious insiders and put better cybersecurity practices into place for credential abuse and permissions.”
Regardless of whether they are affected by this particular breach, consumers “need to be wary of the personal information they share with companies and make sure it’s protected, including regularly updating passwords and implementing credit monitoring,” Moffitt said.