Marriott Data Breach

Written by Myes Dacres

social engineering Marriot Data Breach

Marriott Hotel Data Breach

The Hotel Group Marriott International is once again coming under fire after the confirmation of another Marriott data breach with hackers claiming to have stolen over 20 gigabytes of sensitive card data belonging to previous guests.  

The incident was first reported on Tuesday by an organisation called Databreaches.net. The attack was said to have happened in June of this year with hackers claiming to have used social engineering to trick an employee at Marriott to give them access to their computer.  

“Marriott International is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer,” Marriott spokesperson Melissa Froehlich Flood told TechCrunch in a statement. “The threat actor did not gain access to Marriott’s core network.” 

Marriott said that they had begun to investigate the breach before the actor reached out to the company to extort money in exchange for the personal details that were stolen. Marriott claimed not to have paid the hackers.  

The organised group of hackers claimed responsibility for the attack, providing evidence of stolen guest data including credit card details, travel plans, employers’ details and much more. The organisation that reported the breach Databreaches.net stated that there were long lists of guest data showing reservation logs for airline crew members from January 2022 and names and other details of guests, as well as credit card information used to make bookings. 

All this being said, Marriott maintains that no major incident has taken place stating that the dataset “primarily contained non-sensitive internal business files regarding the operation of the property.” 

Marriott said it is preparing to notify over 300 individuals regarding the breach and claims to have already reached out to the relevant law enforcement agencies.  

Believe it or not, this isn’t the first time the Marriott has suffered from a significant breach. On the 30th of October 2020, the Information Commissioners Office (ICO) reported a fine of £18.4 Million which was issued to Marriott Hotel Group earlier that year. At the time, Elizabeth Denham, the previous information commissioner stated: 

”Personal data is precious and businesses have to look after it. Millions of people’s data were affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.” 

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.” 

The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect. 

Ultimately, the Information Commissioner’s Office investigation exposed a few different areas that were vulnerable to attack stating that the technical and organisational measures that were in place to assure this type of incident wasn’t to occur were not sufficient.  

We believe after the first fine the hotel group should have been doing everything within their power to prevent this kind of attack, it is clear that since their previous breach they have taken the technology side of their business seriously, introducing several measures that would hopefully reduce the likelihood of an attack, however, they have not taken into account the human element of security. You are only as strong as your weakest link. In this instance, a breach was caused by the human element but that does not mean this incident can be classed as an accident. Staff must be made aware of data protection and be made aware of the responsibility they have to protect the personal information belonging to their customers.  

To report a concern to the ICO telephone their helpline at 0303 123 1113 or go to ico.org.uk/concerns. 

Written by Myles Dcares