Fool Me Twice: Marriott International Discloses Second Major Data Breach
On March 31, 2020, Marriott International
notified more than 5 million guests that their personal information was exposed in a data breach dating back to mid-January 2020. This is the second data breach in as many years for the hotel chain. In 2018, Marriott suffered a major breach that affected more than 300 million guests and disclosed more than 20 million passport numbers and 8 million payment cards. And while Marriott believes the most recent breach did not involve account passwords, payment card information, or passport information, it indicated that several categories of personal information were nonetheless accessed.
Ice Miller’s Data Security and Privacy team has summarized details of the breach below.
What Happened?
In an online disclosure notice and a notice sent to potentially impacted guests, Marriott stated that attackers exploited an application used to help provide services to guests at franchised hotel locations beginning in mid-January 2020. By February 2020, Marriott learned the attackers used the login credentials of two employees at a franchise property to access an “unexpected amount” of guest information.
What Information was Accessed?
Marriott confirmed the following categories of information may have been involved:
- Contact Details (e.g., name, mailing address, email address, and phone number)
- Loyalty Account Information (e.g., account number and points balance, but not passwords)
- Additional Personal Details (e.g., company, gender, and birthday day and month)
- Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
- Preferences (e.g., stay/room preferences and language preference)
The notice stated that Marriot has “no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers” and confirmed that not all of the information above was present for every guest involved.
What Is Being Done to Mitigate the Breach?
After discovering the breach, Marriott disabled the employees’ login credentials, implemented heightened monitoring and arranged resources to inform and assist guests. These resources include a
self-service online portal for guests to determine whether their information was involved; the option to enroll in a personal information monitoring service, free of charge for one (1) year with IdentityWorks; and a dedicated call center for guests to further inquire about the breach, provided below.
| Location |
Number |
| United States/Canada |
+1-800-598-9655 |
| Australia |
1800280257 |
| France |
0805540130 |
| Germany |
08006644414 |
| United Kingdom |
08003457018 |
| Rest of the World (toll may apply) |
+1-402-952-5356 |
Marriott also disabled existing Marriott Bonvoy passwords for those members whose information was involved and enabled multi-factor authentication to further protect Marriott Bonvoy accounts.
How Could the Breach Impact You?
Because the breach did not involve account passwords, payment card information, or passport numbers, many impacted individuals may assume the breach will have a limited impact. However, contact details (e.g., email addresses) accessed simultaneously with additional personal details (e.g., the company for which you work) could put you and your company at risk. Many guests traveling for work provide their company email address to receive receipts for travel reimbursement or other accounting purposes. With access to your company email address, attackers can attempt to gain access to your credentials or your colleagues’ credentials through phishing attacks sent to your company email address. And if your company uses a similar email address format (e.g., John.Smith@company.com) for other users, attackers can now use phishing attacks on other employees of your company.
Furthermore, if the attacker accessed several pieces of contact details and loyalty account information, they may be able to successfully perpetrate identity theft even without your payment card details. We recommend that impacted guests first visit the self-service online portal to determine whether their information was accessed and then consider changing contact details, additional personal details, and loyalty account information to the extent feasible. Finally, monitor your Marriott account activity for suspicious charges or account changes and exercise heightened caution when opening emails sent to the address linked with your Marriott account.
The Covid-19 pandemic has many organizations scrambling to both maintain business operations and protect the health of their employees and customers. But while many organizations are busy responding to the crisis, attackers are constantly targeting information systems and employees who are adjusting to a relatively unfamiliar work environment. The Marriott International breach is a reminder that data security and privacy remains an essential component of your organization and your data is at an even greater risk during chaotic times.
If you have any questions related to data security, please contact
Nick Merker,
Mason Clark or another member of the
Data Security and Privacy Group.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.