Marriott Hotel Data Breaches and the Aftermath

  • By Dawna M. Roberts
  • Published: Nov 11, 2020
  • Last Updated: Mar 18, 2022

The data breach of Marriott Hotels occurred in January 2020. The large Hotel chain did not discover the breach until February 2020. The latest is a second data breach for Marriott and potentially affects 5.2 million guests' information.

What Happened and How?

Hackers obtained logins for two Marriott Hotel employees and breached the network system accessing guess details in January 2020. The information contained names, gender, birthdates, telephone numbers, language preferences, and even loyalty program numbers along with reservation data. 

At the time, a Marriott spokesperson commented, "Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver's license numbers."

They soon added, "Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests."

An Earlier Breach and Big Consequences

In July 2014, Starwood Hotels and Resorts Worldwide was hit by a major data breach affecting 339 million customers. Marriott bought Starwood, but it did not catch the data breach until September 2018. During those four years, hackers made off with customer names, email addresses, mailing addresses, phone numbers, passport numbers, and some credit card information. The incident resulted in a major breach of trust between the hotel and its customers. 

In November 2020, the U.K. Information Commissioner's Office served Marriott Hotels with a steep fine of $24 million over their negligence in keeping customer data safe. It's unclear if they will add to that figure on the heels of this new data breach. Initially, the office had decided on a fine of $128.2 million, but it was reduced before the final ruling.

A London spokesperson claimed that "Although the fact that Marriott got a much lower fine than originally announced may send out a mixed message, this should not deter organizations from taking data security seriously, and organizations should also bear in mind that class-actions for compensation may yet add to the final bill in cases like this one."

The shocking thing about this data breach is hackers installed a web shell on a Marriott server, enabling them to remain connected via remote access and continued to steal information for four years.

Lessons Learned

After an exhaustive investigation, Britain's Information Commissioner's Office has determined some of the leading causes of the Marriott data breach. According to DataBreach Today, "Inadequate monitoring of databases and privileged accounts, incomplete multi-factor authentication and insufficient use of encryption: These are among the catalog of errors cited by British privacy regulators investigating the failures that contributed to the massive data breach involving Marriott's Starwood guest reservation system."

Since the 2014 Marriott’s systems have not been improved, as evidenced by this latest data breach in January of this year. The recently issued 91-page penalty notice includes the following:

* Insufficient monitoring of privileged accounts.

* Insufficient monitoring of databases.

* Poor controls for critical systems.

* Insufficient encryption.

* Reliance on software security protocols rather than personalized management of private data. 

It also noted that "That Marriott did not detect the attack until alerted by Guardium is indicative of Marriott failing regularly to test, assess, and evaluate the effectiveness of its security measures."

The report also detailed some specific factors as:

  • Vulnerable web shell and malware tied to Accolade software.
  • Memory scraping malware that was used to exfiltrate data.
  • IBM Guardian database security software alarms.
  • Missing multi-factor authentication to protect cardholder data.
  • Insufficient monitoring of privileged accounts.
  • Spotty database monitoring.
  • Deficient critical systems monitoring and security alerts.
  • Incorrectly configured encryption.

The list of violations is long and embarrassing for the hotel chain. However, experts say this is a cautionary tale for other businesses to now step up their game and implement systems that do not land them in the same hot water. 

Recommendations for the Hotel Industry

Threat assessors and security professionals recommend the following security upgrades for hotels and other businesses that collect and store customer data.

1. Develop a security-centric plan for all operations. Start from the ground up and hire security experts to assess your current systems and point out the flaws so you can fix them. 

2. Plan on being breached and implement proactive protections now, don't wait until something catastrophic happens.

3. Invest in security software, practices, and outside resources as a top priority. Don't put a cap on the budget. Think about how much you may have to lose in an incident where you have to reimburse customers or provide remediations.

4. Think of data security as money in the bank. Not only are you preventing dangerous data breaches, but you are also building brand trust, and your customers will appreciate your commitment to security and their privacy.

The bottom line is you cannot be too careful these days if you have anything to lose. Marriott is learning that lesson a bit too late. 

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

Financial Business and Consumer Solutions Data Breach

Financial Business and Consumer Solutions Data Breach

Financial Business and Consumer Solutions (FBCS) was founded in 1982 as Federal Bond Collection Services and currently has over 100 employees.

Wattpad Data Breach

Wattpad Data Breach

Reportedly, in the top 160 most visited websites in the world, Wattpad prides itself as the world's most loved storytelling platform.

Teleperformance Breach

Teleperformance Breach

Teleperformance began its operations in 1910 in Paris, France, as a customer service management company. The company founded its United States division in 1993, which is situated in Salt Lake City, Utah.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address