Marriott hotel chain hacked 6th time. Most comfortable place for vacations or to get hacked?

Marriott hotel chain suffered a data breach , as it reported that hackers stole more than 20 gigabytes of confidential data, between clients and internal processes.

The incident, first reported by Databreaches.net, is said to have occurred in June when an unnamed hacker group claimed they used social engineering to trick an employee at a Maryland Marriott hotel into giving them access to his computer.

“Marriott International is aware of a threat actor who used social engineering to trick an associate at a single Marriott hotel into providing access to the associate’s computer,” said Marriott spokeswoman Melissa Froehlich Flood. “Threat actor did not gain access to Marriott’s core network.”

The group claiming responsibility for the attack says the stolen data includes guests’ credit card information and sensitive information about guests and employees.

The hotel chain acknowledged that while most of the data acquired by threat actor was what Marriott described as non-sensitive internal business files, they will be notifying approximately 300-400 individuals and any regulators. They did not provide a full explanation as to what kinds of personal information were leaked. Law enforcement has reportedly been notified, and Marriott states that they are supporting that investigation.

The threat actor commented on Marriott’s security:

Their security is very poor, there were no problems taking their data. At least we didn’t get access to the whole database, but even the part that we took was full of the critical data.

The threat actor mentioned that  they hacked into personal information of guests and employees. They provided  samples of 20 GB of files that they had exfiltrated.

A number of the files in the sample were, indeed, internal business documents with confidential and proprietary information such as how to access a labor management and scheduling platform. From the dates on the files, some of these manuals and audits might no longer be currently applicable. Apart from internal business documents, other documents included information on hotel guests and employees.  Number of documents were where airlines made reservations for their flight crews to stay at the hotel.  The forms included the crew members’ names , what flight number they would be arriving on, what flight number they would be departing on and their room number . The documents also include corporate credit card numbers for the airline or travel agency making the guests’ arrangements

This is not the first time that Marriott has suffered a significant data breach. 

  • In September 2010, HEI Hotels & Resorts disclosed a breach.  Those properties included a number of Marriott-branded hotels.
  • In April 2011, Marriott Rewards program customers data was breached involving Marriott vendor Epsilon.
  • A 2014 breach at Starwood that neither Starwood nor Marriott knew about when Marriott acquired Starwood in 2016 was first reported In November 2018. Marriott disclosed that the breach impacted almost 500 million guests, a number that they eventually re-estimated at 383 million or less.
  • In October 2019, Marriott announced that a breach at an unnamed vendor had impacted some of its associates.
  • In March 2020, Marriott had to notify 5.2 million guests whose personal information was breached.
  • And now in 2022, a threat actor has hacked BWIA Marriott.