- Marriott International last month suffered its third publicly acknowledged data breach in four years. The hotel chain disclosed the incident after DataBreaches.net reported an unnamed threat actor claimed to have stolen 20 gigabytes of sensitive data.
- A previous data breach that began in 2014 and went undetected for four years ultimately impacted 500 million guests. That breach hit the reservation system for Starwood Hotels and Resorts Worldwide two years before Marriott completed its acquisition of the company, forming the largest hotel chain globally.
- Marriott claims the incident was quickly contained and potential exposure was limited to about 400 individuals.
After suffering one of the worst data breaches on record, Marriott disclosed another data breach in March 2020 that exposed account details on up to 5.2 million guests. This latest incident, though relatively minor, marks a pattern of personal identifiable information breaches with human error at the root.
In the latest incident, a threat actor “used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer,” a Marriott spokesperson said via email. “The threat actor did not gain access to Marriott’s core network.”
Following an investigation, the company said it determined the information that was accessed primarily contained non-sensitive internal business files regarding the property’s operations.
The hotel chain said it identified the breach and was investigating the incident before the threat actor contacted the company in an extortion attempt. Marriott did not pay the threat actor, according to the company spokesperson.
The unnamed threat actor claiming to be behind the attack supplied DataBreaches with documents containing personal information, including airline flight crews’ names, corporate credit card information, and room numbers at the BWI Airport Marriott property.
Marriott asserts no such information was accessed, but said it notified law enforcement and the company is supporting further investigation.
While lapses in security have become routine across sectors, a concern for Marriott is the pattern and the role security plays in corporate governance. The last time "cyber" or "security" was mentioned on an earnings call occurred in mid-2019.
Marriott’s global operating committee lists 24 members and none of those individuals have cyber or security in their title.
Arno Van Der Walt has served as CISO at Marriott since January 2018, but not listed on the company’s leadership page. Jim Scholefield, who is listed on the leadership team and designated as “responsible for leading all aspects of the company’s information technology and digital strategies,” joined Marriott in January 2020 to serve as its global chief information and digital officer.