In brief: In the middle of the Coronavirus pandemic, Marriott admits it suffered a new breach where hackers took over the accounts of two employees and gained access to the personal information of millions of hotel guests. And while the attackers weren't able to dig deep enough to get to the really sensitive details, this doesn't look particularly good after two other breaches over the last couple of years.
Hotel giant Marriott says it suffered a data breach involving the personal information of no less than 5.2 million guests. This would be the third time in three years that "an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property."
Marriott sent everyone whose data was exposed by the breach a letter where it notifies them of what happened along with recommended steps to get assistance.
The breach was discovered at the end of February 2020, and an investigation is still ongoing to determine the full extent of the damage caused by attackers. That said, Marriott didn't find any indication of data misuse, and luckily the data accessed by malicious actors didn't include payment card information, Bonvoy account passwords / PINs, national IDs, passport information, or driver's license numbers.
However, attackers were able to get access to contact details like name, email address, mailing address and phone numbers as well as preferences and things like the number of loyalty points, including those obtained through Marriott's partnerships with airlines. The information was exposed from mid-January to the end of February.
Marriott has created a self-service online portal for people who want to find out if their information was exposed in the breach. Guests who have been affected now have their passwords disabled and will have to change them the next time they want to log in. Another important addition is multifactor authentication, which could have made it a lot harder for attackers to succeed.
Overall, based on the preliminary information provided by Marriott, this breach looks a lot less severe than the one that happened in 2018, affecting 500 million customers. US authorities believe it was the work of Chinese state-sponsored hackers, but that wouldn't excuse the combination of bad security habits and the lack of safeguards in place at a hotel giant that is routinely a top choice for American government officials and military personnel.
The news also comes at the worst possible time, when Marriott, and, by extent, the entire tourism industry, are laying off a significant number of employees as a desperate measure to survive the impact of the Coronavirus pandemic.