Marriott says a security breach may have exposed the personal information of 5.2 million guests

Hotel group Marriott International has announced it is notifying some of its guests today of an incident involving a property system. 

At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.

The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.

At this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved:

  • contact details 
  • loyalty account information 
  • additional personal details 
  • partnerships and affiliations 
  • preferences 

Marriott has set up a dedicated website and call center resources with additional information for guests. The call center resources can be reached by calling the numbers listed on the dedicated website. 

Marriott carries insurance, including cyber insurance, commensurate with its size and the nature of its operations, and the company is working with its insurers to assess coverage. The company said it ”does not currently believe that its total costs related to this incident will be significant”.

It follows another major breach, discovered in 2018, which impacted up to 339 million guests that stayed at Marriott subsidiary, Starwood. Marriott said the data breach compromised 327 million records, including personal information such as mailing addresses and passport numbers. 

Following an extensive investigation, the UK Informaiton Commissioner’s Office (ICO) announced in July 2019 it would fine Marriott International £100m for infringements of the General Data Protection Regulation (GDPR).

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

At the time of issuing the fine, Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”