In its third such incident in four years, Marriott International was on the defensive this week in confirming a data breach involving a property near Baltimore-Washington International Airport.
The breach occurred last month and the hotel company claimed the issue was contained within six hours. It said an investigation was underway before a hacker group contacted the hotel to attempt to negotiate a ransom.
The breach first was reported by DataBreaches.net, with which a group claiming to be the threat communicated actors about their infiltration of Marriott’s systems. The group told DataBreaches it had tricked a single employee into giving the hackers their credentials. Through that individual’s computer, the group was able to exfiltrate 20GB of data.
Marriott downplayed the significance of the breach, stating to DataBreaches, “We have no evidence that the threat actor had access beyond the files that were accessible to this one associate.” The hotel company did not pay the hacker’s ransom demand.
Even so, the data appeared to include full corporate card information and CVV numbers for guests and agencies booking hotels. Marriott said it would need to contact 300 to 400 people affected by the breach.
The scale of the June breach pales compared to Marriott’s previous data security fiascos. In 2020 the company paid the UK’s Information Commissioner’s Office a nearly $24 million penalty for failing to properly protect guest data according to the EU’s General Data Protection Rules, in relation to an ongoing breach that extended from 2014 to 2018 and compromised 339 million guest records. Another breach in 2020 compromised 5.2 million guest records.
Bad actors continue to target hotels as easy pickings for hacks. Reports from PwC and others have noted the richness of personal data collected at the hotel level and that the numerous touchpoints for that data leave it vulnerable to cyberthreats. In addition to Marriott’s string of data breaches, MGM Resorts International, The Ritz London and Choice Hotels International have experienced high-profile data breaches in the last five years.