BY GRACE AIRHULE
Barely two years after it reported a breach that compromised 5.2 million customer records, hotel group Marriott International has confirmed yet another data breach in which hackers claim to have stolen 20 gigabytes of sensitive data, including guest credit card details.
However, Marriott says the breach primarily consists of nonsensitive internal business files regarding the operation of its airport-adjacent hotel in Baltimore.
“Marriott International is aware of a threat actor who used social engineering to trick an employee of a single Marriott hotel into granting access to the employee’s computer,” Melissa Froehlich Flood, Marriott spokesperson, said in a statement. “The threat actor has been denied access to Marriott’s core network.”
Databreaches.net, which first reported the breach, says hackers shared documents that include records apparently of airline hotel reservations for flight crew that include the crew’s names, job titles and hotel room numbers. Also apparently in the documents are the corporate credit card numbers used to make the reservations.
Hackers told the owner of the website, who goes by the handle “Dissent Doe”, that they made off with 20 gigabytes of Marriott data. “Their security is very poor, there were no problems taking their data,” Dissent Doe says the hackers said.
Marriott said it identified and investigated the incident before the threat actor contacted the company in an extortion attempt, which Marriott said it did not pay.
The hotel group said it is informing 300 to 400 individuals of the breach, has notified law enforcement agencies and regulators and is supporting investigations into the incident.
Marriott has a history of data breaches. In 2018, hackers later fingered as working for the Chinese government were found to have stolen approximately 340 million guest records over a period of four years.
Marriott paid a $24 million fine in 2020 without admitting liability to settle allegations that it had violated Europe’s General Data Protection Regulation by failing to ensure adequate security of personal data.
In 2020, Marriott reported another breach that compromised 5.2 million customer records. The threat actors had access to the system for just two months and did not expose payment card details. But the breach did expose email addresses, mailing addresses, loyalty rewards numbers and other personally identifiable information.