Hotel chain Marriott has revealed that 5.2 million guests’ personal details were accessed in a possible data breach.
The company said that customer information, including loyalty account information, contact details and room preferences, was accessed between January and February of this year.
Guests’ birthday information, gender and company details may also have been exposed in the breach as well as partnerships and affiliations, including linked airline loyalty programmes.
Exposed customer information was accessed through the log-in details of two employees at a franchise property, Marriott confirmed. Hotels operated and franchised under the Marriott brand use an application for staff to use to support guest services.
Upon discovering the breach, Marriott said the credentials were disabled and an investigation was launched. The firm also said it has since implemented “heightened monitoring” and notified relevant authorities to support its investigation.
In a statement, the company said: “Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs or driver’s license numbers.
“At this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved.”
Guests have been informed of the breach via email and a dedicated website has been launched for customer enquiries, Marriott said.
Emails sent to guests also contain a list of steps they can consider taking, as well as information about enrolling in Marriot’s personal information monitoring service.
- All 4G Networks Worldwide Vulnerable to DoS Attacks
- 75% of Large Businesses Suffered Security Breaches in 2019
- UK Broadband Providers Agree to Remove Data Caps During Pandemic
The confirmation of this latest data breach marks the second in recent years for Marriot. In November 2018, the hotel chain revealed an unauthorised party had accessed the Starwood guest reservation system – exposing more than five million unencrypted passport numbers and financial details.
Vulnerabilities in the reservation system had been present since 2014, the company revealed at the time, and had been carried over following Starwood’s acquisition by Marriott in 2016. That data breach prompted the Information Commissioner’s Office to impose a £99 million fine in July 2019.