The global firm will no doubt be fearing yet more fines as a result of the breach through one of the company’s applications.
International hotel chain has suffered another major data breach
following a previous breach discovered in 2018.
The company has
disclosed that the breach affects the information of 5.2m customers,
with thieves accessing the log-in credentials of two employees at a
franchise property to complete the breach. They used a guest services
application used by hotels operated and franchised under the
company’s various brands.
Marriott said: “We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the log-in credentials were disabled, immediately began an investigation, implemented heightened monitoring and arranged resources to inform and assist guests.”
It went on: “Although
our investigation is ongoing, we currently have no reason to believe
that the information involved included Marriott Bonvoy account
passwords or PINs, payment card information, passport information,
national IDs or driver’s licence numbers.”
But information that
was stolen could include contact details – including postal and email
addresses and phone numbers – information on customer loyalty
accounts not including passwords, employer details, gender and birth
dates, linked airline loyalty programmes and guest room preferences.
affected by the breach are said to have been emailed about it today
(31 March), and all Marriott Bonvoy members in the frame have had
their account passwords disabled and they must now re-access and
secure their accounts.
The firm has set up an
international self-service online portal for affected guests, as well
as a phone contact centre. The company is also offering customers the
option to enrol into Experian’s IdentityWorks data monitoring
service for free for the next 12 months, to help stop any frauds
The reported Marriott
data breach in 2018 was much more widespread, affecting 400m globally
who had stayed at the company’s Starwood properties between 2014 and
As a result of that
breach, the UK Information Commissioner’s Office (ICO) fined
Marriott International £99m under the European Union’s General
Data Protection Regulation (GDPR).
At the time, the ICO
slammed Marriott for failing to conduct due diligence on the IT and
security systems at Starwood when it acquired the business in 2016.
It did however say Marriott had made improvements to its cyber
security after the breach.
The ICO and other
compliance authorities will now be taking another look at the
company’s systems, which will no doubt be expecting more fines.