Marriott Suffers New Data Breach, 20 GB of Data Stolen

Marriott International Sign Outside Company Headquarters in Maryland

A threat actor has successfully stolen 20 GB of data from the multinational hotel chain Marriott International, including credit card information and other confidential data, a website that tracks data breaches reported on Tuesday.

The BWI Airport Marriott in Maryland, USA, appears to be the source of the stolen data.

DataBreaches.net broke the news after learning about the breach directly from the threat actor. A Marriott representative confirmed the breach to the website.

Threat Actor Emailed Several Marriott Employees

In a blog post, DataBreaches said it received a message from the threat actor on June 28, claiming they have siphoned 20 GB of files from a BWI Airport Marriott server.

The unidentified hackers said they sent emails to Marriott employees informing them about the breach. According to the hackers, the hotel’s representatives initially communicated with them, and they broached the topic of payment for returning the stolen files. However, Marriott stopped responding to them abruptly.

“They were communicating with us and went silent for no reason, it might be because of the high pricing, but we are always willing to find a deal with our clients and told Marriott that we can provide all the discounts in the world,” the threat actor told DataBreaches.

Marriott Says Attack Was Contained in 6 Hours

While Marriott representatives confirmed the breach to DataBreaches, they downplayed its severity, saying it was contained in six hours. Marriott claims they were investigating the incident, even before the threat actor contacted them.

The hotel said the breach was the result of a social engineering scam. Apparently, the hackers tricked a Marriott hotel associate into giving them access.

“We have no evidence that the threat actor had access beyond the files that were accessible to this one associate,” a Marriott spokesperson told DataBreaches.

Marriott and Hackers Disagree on Nature of Stolen Information

Marriott described the stolen data as non-sensitive internal business files, but the hackers said the haul includes “critical data” such as the personal information of employees and guests.

The group shared a sample of the dataset with DataBreaches, and it reportedly includes “internal business documents with confidential and proprietary information such as how to access a labor management and scheduling platform.”

The sample had the booking information of airlines that made reservations for their flight crews. This data includes the first and last names of airline employees, their designations, flight details, and assigned rooms as well as corporate credit card numbers—most likely belonging to the airlines or travel agencies.

The sample also includes a Human Resources file belonging to a Marriott event supervisor. The file had an employee’s name as well as performance ratings and reviews.

Marriott said it will notify 300-400 individuals, law enforcement, and the appropriate data regulators about the breach. The hotel did not provide further details about the stolen data.

Marriott’s History of Data Breaches

This is the latest in a series of data breaches Marriott has suffered over the past five years.

In 2018, Marriott announced a breach that exposed the personal data of about 500 million guests from its Starwood subsidiaries’ database. In 2020, the hotel announced another breach that allowed hackers to access the private information of up to 5.2 million guests.

This new breach raises more questions about Marriott’s data security. The hackers responsible described Marriott’s data security as “poor.”

“Their security is poor, there were no problems taking their data. At least we didn’t get access to the whole database, but even the part we took was full of the critical data,” they told DataBreaches.

Social engineering scams are more common than ever before. It is important for organizations to improve their security defenses and data practices, and individuals must also take steps to secure their data. In April, we reported on a social engineering scam targeting Instagram users to steal their accounts.

The best way to protect yourself from such attacks is to stay informed. To learn more, we recommend checking out our detailed article on social engineering scams.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.