Sixteen months after acknowledging a huge data, breach Marriott Hotels says it has been stung again, this time after login credentials of two employees were used.

The chain said this morning that it has begun notifying some 5.2 million guests who stayed at its hotels in several countries, including Canada, the U.S., the United Kingdom, that they were victims of the breach.

Stolen personal information includes names, addresses, email addresses, birthdates. At the moment, the company doesn’t think payment card information passport numbers, national IDs or driver’s licences were copied.

In a statement, the chain said that the hackers accessed an application used to help provide services to guests at hotels. At the end of February, it realized an unexpected amount of guest information might have been accessed using the login credentials of two employees at a franchised Marriott hotel. “We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”

At this point Marriott says it thinks that the following information may have been involved in the breach, although not all of it was copied for every guest:

  • Contact Details (e.g., name, mailing address, email address, and phone number)
  • Loyalty Account Information (e.g., account number and points balance, but not passwords)
  • Additional Personal Details (e.g., company, gender, and birthday day and month)
  • Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
  • Preferences (e.g., stay/room preferences and language preference)

In November 2018 Marriott admitted that it had been victimized by a hack of the computer system of the company’s Starwood chain. The chain included W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels) which Marriott had bought several years before. Approximately 383 million records of those who stayed or made reservations at Starwood properties were involved, but that includes multiple records for the same guest.

Approximately 8.6 million encrypted payment cards were copied over four years in that breach.  Of those, the vast majority had expired by September 2018, when the breach was discovered. Approximately 354,000 cards were unexpired as of September 2018.  But the theft also involved some 5.25 million unencrypted passport numbers, as well as roughly 20.3 million encrypted passport numbers.

Last July the U.K. Information Commissioner announced its intention to fine Marriott the equivalent of CDN$174 million for violating the European Union’s General Data Protection Regulation (GDPR) over that breach. “The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

Consumers should note that Marriott is sending notification messages from marriott@email-marriott.com. Messages from other accounts should be treated as fraudulent. It is common for hackers to try to take advantage of data breach announcements by sending fake messages with malicious links to infect computers. Where available, Marriott is offering victims the option to enroll in a personal information monitoring service free of charge for one year.

Tim Erlin, Tripwire’s vice-president of product management and strategy, noted that while the Marriott release had a lot of information for consumers, it offers little for security practitioners to better understand how to avoid similar incidents. “Breaches that use valid credentials can be harder to detect because the attack looks like a valid login,” he added. “In these cases, organizations often have to look at what changes that attacker is making as they carry out their objective in order to detect the malicious activity.”