Marriott Hit by New Data Breach and a Failed Extortion Attempt
Hotel giant Marriott International confirmed it was hit by another data breach after an unknown threat actor breached one of its properties and stole 20GB of files.
The attackers could only breach one of the chain’s properties, BWI Airport Marriott, and only had access to its network for a limited time.
“This incident only involved one property. The threat actor did not gain access to Marriott’s core network. The access to one device at the property involved only lasted for approximately six hours,” a Marriott spokesperson told BleepingComputer.
“The threat actor used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer. The threat actor did not impersonate any Marriott vendor.”
Data breach affected 300-400 individuals
While the company did not share any info on the stolen data with BleepingComputer, it told DataBreaches (who first reported the incident) that the 20GB worth of documents stolen during the breach contained non-sensitive internal business files and some credit card information.
However, Marriott is yet to share if the threat actor exfiltrated info belonging to the hotel’s guests, its employees, or both.
The attackers also attempted to extort Marriot under the threat of leaking the stolen files online. Still, the hotel group told BleepingComputer that it “did not make any payment or provide anything to the threat actor.”
Marriott said that it notified the FBI and hired a third-party security firm to investigate the incident.
The hotel giant added that it would notify relevant data regulators and roughly 300-400 individuals affected by this data breach.
Third data breach disclosed since 2018
This is the third data breach Marriott has confirmed since 2018 after exposing the personal information of 5.2 million hotel guests (including contact and personal details) in a data breach it disclosed in 2020.
The company also announced in November 2018 that its Starwood Hotels guest reservation database containing info on hundreds of millions of guests was hacked.
Marriott discovered the incident two years after Starwood’s acquisition and said the information stolen in the incident included guests’ names, personal info, addresses, unencrypted passport numbers, and AES-128-encrypted payment information.
As Marriott added at the time, signs of unauthorized access were detected as far back as 2014, compromising the personal info of roughly 339 million guest records globally.
The UK Information Commissioner’s Office (ICO) fined Marriott International £14.4 million (approximately $24 million) for infringing the General Data Protection Regulation (GDPR).