Sophos analyses the Marriott data breach that affects up to 5.2 million people

John Shier, Senior Security Advisor, Sophos,
John Shier, Senior Security Advisor, Sophos.
5 years ago

The hotel chain says it uses an application to help provide services to its guests. Beginning mid-January this year, the login credentials of two employees at a franchised property were used to access guest information on this app. When the breach was discovered at the end of February, Marriott International says it disabled those login credentials and began its investigation.

What data was accessed?

Marriott says it believes the following information “may have been involved” although the entries weren’t there for every guest:

Contact details: name, mailing address, email address, and phone number

Loyalty account information: account number and points balance, but not passwords

Additional personal details: company, gender, and birthday day and month

Partnerships and affiliations: linked airline loyalty programs and numbers

Preferences: stay/room preferences and language preferenc)

Marriott says there is currently no reason to believe the information accessed included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.

Marriott says it informed guests via email on 31st March, from the address marriott@email-marriott.com. It says it’s giving guests the option of accessing a data monitoring service for a year.

What to do

Marriott International has set up a self-service portal for you to be able to determine if and what information of yours was accessed. It’s also listed a set of phone numbers you can call on its breach announcement page. If your information was involved, Marriott has disabled your password and you’ll be prompted to enter a new one when you next log in. The company is also recommending you enable two-factor authentication on your account, although we couldn’t find the option when we logged in.

Stay alert for scams. Criminals like to take advantage of breaches to send phishing emails or spin up fake websites. Don’t click on any links, and verify anything you encounter by heading directly to the official breach website or calling the official call centre numbers. Marriott says if it contacts you by email it’ll do so from the marriott@email-marriott.com email address, and won’t send emails with attachments or ones that ask for information.

Says John Shier, Senior Security Advisor, Sophos, “Marriott has announced yet another breach, 16 months after their last. While this one is small compared to the previous breach – Marriott reports 5.2 million affected accounts – it highlights the fact that, even during a global pandemic, criminals will not stop attacking us.”

“Even though no passwords, PINs, identity documents, or financial information was reportedly stolen, enough personal information was compromised that can be of use to identity thieves. This information can be used to lend credibility to phishing emails and increase their chance of success. Let’s not give cybercriminals an easy win during these unprecedented times – stay vigilant against their dirty tricks. They won’t rest, neither should we.”

Don't Miss

Chester Wisniewski, director, field CTO, Sophos

Most Educational Organizations Paid More Than the Original Ransom Demand, Says Sophos Survey

Sophos has published its annual sector survey report, , “The State of

Ransomware Groups Weaponize Stolen Data to Increase Pressure on Targets Who Refuse to Pay, Sophos Report Finds

Sophos has released a new dark web report titled “Turning the Screws: