Hotel group Marriott International has confirmed another data breach, with hackers claiming to have stolen 20GB of sensitive data, including guests’ credit card information.
First reported by Databreaches.net, the incident happened in June when an unnamed hacking group claimed they used social engineering to trick an employee at a Marriott hotel in Maryland into giving them access to their computer.
“Marriott International is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer,” Marriott spokesperson Melissa Froehlich Flood told TechCrunch in a statement. “The threat actor did not gain access to Marriott’s core network.”
Marriott said it has identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay.
On its end, the group claiming responsibility for the attack says the stolen data is valuable as it includes guests’ credit card information along with confidential information about both guests and employees. Samples of the data provided to Databreaches.net reportedly show reservation logs for airline crew members from January 2022, names and other details of guests, as well as credit card information used to make bookings.
However, Marriott claims that its investigation determined that the data accessed “primarily contained non-sensitive internal business files regarding the operation of the property.”
The company will notify 300-400 individuals regarding the incident and has already notified relevant law enforcement agencies.
Previously Marriott was hacked in 2014 when perpetrators managed to gain access to almost 340 million guest records worldwide — an incident that went undetected until September 2018 and led to a £14.4 million ($24 million) fine from the UK’s Information Commissioner’s Office. Then in January 2020, the hotel chain was hacked again in an incident that affected around 5.2 million guests.
As a Marriott guest there is little you could do about breaches like these — it is all up to the hotel chain’s IT defenses. You could pay your stays in cash, but that will not bring you credit card points if you’re collecting those. Otherwise, you could (and should) monitor your credit card account and take note of every suspicious transaction you’re not aware off and immediately notify your bank about it.
Elsewhere, you should beef up your defenses by using a solid antivirus and a great VPN. And never click on suspicious links.