Marriot Hotels breached AGAIN: Two compromised logins abused to exfil guests’ personal deets
Marriot Hotels has suffered its second data spillage in as many years after an “unexpected amount” of guests’ data was accessed through two compromised employee logins, the under-fire chain has confirmed.
The size of the latest breach has not been disclosed, though Marriott admitted it seemed to have been taking place since January 2020 and was detected “at the end of February.”
“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was the source of the breach.
“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.
Marriot did not explain why it took four weeks to begin alerting customers of the breach.
Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.
The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.
Bob Rudis of infosec biz Rapid7 commented on the breach in a statement, saying: “The use of stolen, legitimate credentials is still one of the most popular attack vectors for our adversaries. It is also paramount that you continue to watch for anomalous behaviour of systems and accounts to reduce the time attackers have to accomplish their goals if they do manage to breach your defences.”
Guests are now being emailed from [email protected], with the company publishing a self-help portal so you can, er, input your personal data to find out whether it was exposed or not. A link is available from the Marriott breach notification page. For affected Brits, an 0800 number is provided so one can bellow enraged obscenities at some call centre drone obtain further information.
Free Experian identity monitoring is also being provided to those affected. The idea of this is to notify you if criminals are using your stolen details to clone your identity.
If you are involved, Marriott said in its statement it would force password resets and prompt users to enable multi-factor authentication.
Back in 2018 Marriott lost control of 383 million people’s personal data after China-based criminals broke into its Starwood brand’s guest database. Included in that breach were 8.6 million “encrypted” credit card numbers, though the hotel chain insisted that all but a mere 354,000 had expired by the time staff realised what had happened.
The breach will come as bad news for Marriott’s lawyers and beancounters, who thought they had been successful in kicking the UK ICO’s £99m fine for the 2018 breach into the long grass. And lest we all forget, in 2014 the hotel chain was caught red-handed blocking guests’ own Wi-Fi hotspots in a vain attempt to force them to buy expensive hotel Wi-Fi access instead. ®
Sponsored:
Practical tips for Office 365 tenant-to-tenant migration
Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/31/marriott_hotels_data_breached_once_again/