International hotel chain Marriott today disclosed a data breach impacting nearly 5.2 million hotel guests, making it the second security incident to hit the company in recent years.
“At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” Marriott said in a statement.
“We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
The incident exposed guests’ personal information such as contact details (name, mailing address, email address, and phone number), loyalty account information (account number and points balance), and additional information such as company, gender, dates of births, room preferences, and language preferences.
The hospitality giant said an investigation into the breach was ongoing, but said there was no evidence that Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers were compromised.
Marriott has also set up a self-service online portal for guests to check whether their personal details were involved in the breach, and what categories of information were exposed. In addition, it’s offering affected users an option to enroll in IdentityWorks, a personal information monitoring service, free of charge for 1 year.
The company has already taken the step of disabling the passwords of Marriott Bonvoy members who had their information potentially exposed in the incident, and they will be notified to change their passwords during the next login, as well as prompted to enable multi-factor authentication.
images from Hacker News