It was a bad month for the Marriott International hotel chain. Last week leave of absence tens of thousands of workers when the trip plummeted in the wake of the Covid-19 pandemic and the stock price fell more than 50 percent from the beginning of the year. On Tuesday it also announced that it has been hacked, again, with records of up to 5.2 million guests.
That is the third successful cyberattack on Marriott over the past 18 months, according to the Wall Street Journal. This one is much smaller than the 2018 breach, which exposed over 500 million customer records and the hotel chain enormous legal liability and a $ 124 million GDPR fine, and It aseems to contain less sensitive data. BHowever, it is much larger than the violation of 1,552 employee names, addresses and social security numbers announced in October 2019.
The attackers may have stolen up to 5.2 million recorders from Marriott Bonvoy loyalty program participants, Marriott said in a press release, with the exposed information including contact and address details, loyalty program data, and personal information such as employer, sex, and birthday. The chain believes the attack started in January 2020, but only noticed end of February.
The hotel chain wrote in the release that there was no evidence that the attackers had access to payment information, such as credit card numbers and PINs. It said the same thing about customer passwords, passports and IDs. However, such breaches can help cyber criminals to carry out a more advanced phishing scam aimed at tricking exposed users into transferring banking data.
Marriott spokesman Brendan McManus told the Journal that the person behind the attack was using credentials for two employees of a franchise hotel in Russia. He declined to comment on whether those staffers were suspicious “Our investigation is ongoing and it is too premature to comment on that.”
“Most breaches can be easily prevented by multi-factor authentication,” said David Kennedy, CEO of cybersecurity firm TrustedSec, at Wired. “For any type of increased access, organizations need to leverage enhanced security measures. Multifactor authentication must be applied to everyone. And for elevated accounts with a high level of access, security controls need to be even more comprehensive. ”
Rusty Carter, president of security company Arxan Technologies, told Wired “There are still open questions about the security of Marriott’s APIs and how hotels can access them.”
Marriott said it will have emailed users involved in the breach to [email protected] to set up two-step verification on loyalty accounts, and will be extended for a further year identity monitoring services to those affected. According to the Journal, the British Information Commissioner’s office – which imposed the $ 124 million fine during the latest infringement – said it had contacted the company.
“But if you come across multiple breaches, you will automatically face intensive surveillance from regulators,” former Florida consumer protection officer and Gardner Brewer Martinez-Monfort PA partner Richard Lawson told Journal.. “The idea was of course that this company was aware, this company had this problem before and had a previous visit from us. And here we are again. ‘