"At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property," Marriott said in a statement.
"We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests."
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
The incident exposed guests' personal information such as contact details (name, mailing address, email address, and phone number), loyalty account information (account number and points balance), and additional information such as company, gender, dates of births, room preferences, and language preferences.
The hospitality giant said an investigation into the breach was ongoing, but said there was no evidence that Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver's license numbers were compromised.
Marriott has also set up a self-service online portal for guests to check whether their personal details were involved in the breach, and what categories of information were exposed. In addition, it's offering affected users an option to enroll in IdentityWorks, a personal information monitoring service, free of charge for 1 year.
The company has already taken the step of disabling the passwords of Marriott Bonvoy members who had their information potentially exposed in the incident, and they will be notified to change their passwords during the next login, as well as prompted to enable multi-factor authentication.
The incident follows a 2014 compromise of Starwood Hotels guest reservation database, which was acquired by Marriott in 2016. The breach, which exposed personal details of over 339 million guests globally, wasn't detected until November 2018, leading to it paying a fine of £99 million ($123 million) to the UK's data privacy regulator Information Commissioner's Office under GDPR laws.
"The kinds of information disclosed in the latest Marriott breach might seem innocuous, but it is precisely this kind of intelligence that enables threat actors to better target attacks on consumers," Gerrit Lansing, STEALTHbits' Field CTO told The Hacker News via email today.
"Simply: the more I know about you, the better chance I have of fooling you. Compromised credentials remain one of the top vectors for this kind of compromise, and strong authentication before accessing sensitive information one of the best defenses."