Marriott International 2020 data breach: 5.2 million customers affected

Marriott International has suffered a new data breach in mid-January 2020, which affected approximately 5.2 million guests.

What information was compromised?

According to the incident notification published on Tuesday, the attackers got into an application that hotels operated and franchised under Marriott’s brands use to help provide services to guests at hotels, by compromising and using login credentials of two employees at a franchise property.

The breach was identified at the end of February 2020, and they believe it dates back to mid-January 2020.

Contact details, loyalty account information, additional personal details (e.g., company, gender, birthday day and month), partnerships and affiliations (e.g., linked airline loyalty programs and numbers) and stay and language preferences of some 5.2 million guests have been compromised.

“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers,” Marriott International stated.

“Upon discovery [of the compromise], we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”

Marriott International 2020 data breach: Potential consequences

The company has offered personal information monitoring services for some affected customers, has reset their Marriott Bonvoy (loyalty program) account password, and has warned them about the possibility that the compromised information may be used by criminals to “phish” additional sensitive information from them.

The phishing warning was echoed by several security experts.

“From what we know of the information exposed, this is the kind of data that provides good, raw material for cybercrime — exposed personal data is used for anything from generating phishing campaigns to targeted business email compromise,” Tyler Carbone, Chief Strategy Officer at digital risk protection provider Terbium Labs, told Help Net Security.

“Because employer affiliation is also exposed here, again, we can expect to see an uptick of attacks of this kind against the businesses whose employees’ data were compromised here. What’s been exposed here is data that enables certain kinds of attacks, as well as a list of companies those attacks can be directed toward. This illustrates exactly why it’s so important for all companies to understand and monitor for exposed data — when other companies have breaches, that exposed data makes future breaches of other companies more likely, and so on.”

Dylan Owen, senior manager for cyber services at Raytheon, added that information about travel and specifically travel patterns can be used for intelligence gathering purposes by many adversaries.

Potential consequences for Marriott International

Kelly White, CEO of RiskRecon, noted that this breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring.

“Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior,” he added.

Samantha Humphries, security strategist at Exabeam, noted that if there is something positive to say about this breach notification, it’s that Marriott’s security team seems to have minimised the attacker’s dwell time to a little over a month.

“While still significant, 5.2 million compromised guests is a drastic reduction from almost half a billion the last time this organisation identified an attack. Despite this improvement – if we can call it that – whether the organisation did enough to shore up its security posture after the last breach will certainly be called into question,” she added

As a reminder: Marriott International, which operates hotels and lodging facilities under different brands (Marriott, Starwood, Ritz-Carlton, Le Méridien, etc.), has revealed in late 2018 that the Starwood network had been accessed without authorization since 2014 and that an unauthorized party had copied the contents from the Starwood guest reservation database.

In July 2019 the U.K. Information Commissioner’s Office announced its intention to fine Marriott International a little over £99 million for infringements of the GDPR, but the final decision has yet to be made.

“For Marriott, this breach will likely mean another round of expensive disclosures, and possible legal action. It will also mean an increased cost in fraud and misuse going forward, for any guests whose personal information is used to compromise Marriott itself in the future (fraudulent or erroneous reservations, upgrades, etc.),” Carbone pointed out.

“For businesses generally, we can expect this data to recirculate, creating more criminal activity against other businesses, and, in turn, other possible data breaches, if any of the exposed data here enables another attack in the future to be successful.”

UPDATE (April 6, 2020, 1:52 a.m. PT):

The UK ICO delayed the final decision about the Marriott fine until June 2020.

Don't miss