Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off 5.2m guests' personal info

How many customers' deets? It's not saying just yet

Updated Marriott Hotels has suffered its second data spillage in as many years after an "unexpected amount" of guests' data was accessed through two compromised employee logins, the under-fire chain has confirmed.

The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January 2020 and was detected "at the end of February."

“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was at the epicenter of the intrusion.

“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.

Marriott did not explain why it took four weeks to begin alerting customers about the digital break-in.

Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.

The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.

Man opens hotel room with key card

Marriott: Good news. Hackers only took 383 million booking records ... and 5.3m unencrypted passport numbers


Bob Rudis of infosec biz Rapid7 commented: “The use of stolen, legitimate credentials is still one of the most popular attack vectors for our adversaries. It is also paramount that you continue to watch for anomalous behaviour of systems and accounts to reduce the time attackers have to accomplish their goals if they do manage to breach your defences.”

Guests are now being emailed from, with the company publishing a self-help portal so you can, er, input your personal data to find out whether it was exposed or not. A link is available from the Marriott security breach notification page. For affected Brits, an 0800 number is provided so one can bellow enraged obscenities at some call centre drone obtain further information.

Free Experian identity monitoring is also being provided to those affected. The idea of this is to notify you if criminals are using your stolen details to clone your identity.

If you are involved, Marriott said in its statement it would force password resets and prompt users to enable multi-factor authentication.

Back in 2018 Marriott lost control of 383 million people’s personal data after China-based criminals broke into its Starwood brand’s guest database. Included in that hack were 8.6 million “encrypted” credit card numbers, though the hotel chain insisted that all but a mere 354,000 had expired by the time staff realised what had happened.

The data spillage will come as bad news for Marriott’s lawyers and beancounters, who thought they had been successful in kicking the UK ICO's £99m fine for the 2018 breach into the long grass. And lest we all forget, in 2014 the hotel chain was caught red-handed blocking guests’ own Wi-Fi hotspots in a vain attempt to force them to buy expensive hotel Wi-Fi access instead. ®

Updated to add

Marriott says information on "up to approximately 5.2 million guests" may have been stolen. That info included names, mailing addresses, email addresses, and phone numbers, loyalty account numbers and points balances, employer, gender, and birthday days and months, and linked airline loyalty programs and numbers.

Similar topics

Other stories you might like

  • Bank for International Settlements calls for reform of data governance
    Wants Big Tech to butt out, and return control to individuals

    The Bank for International Settlements (BIS) – a meta bank for the world's central banks and facilitator of cross-border payments – has advocated new governance systems that promote owner control of data and transparency over its use.

    In a report released on Thursday, the BIS argued that market failures mean that restoring de facto control of data to those who generate it has become necessary – along with requiring permission before service providers collect, share, and process it.

    Those market failures stem from consumers and businesses not understanding the benefits and costs of the sudden deluge of data they generate, as well as finding it difficult to assert any rights over it even if they do.

    Continue reading
  • Ex-Google, Uber AI heads launch ML error-detection platform
    'Soul-sucking' data problems were impetus for the founding of Galileo

    Machine learning alumni from Google, Uber, and Apple have started a new company to address errors in unstructured data.

    CEO Vikram Chatterji was previously product management lead for Google Cloud AI. CTO Atindriyo Sanyal was engineering leader for Uber AI's Michelangelo platform and was a founding engineer for SiriKit at Apple. VP of Engineering Yash Sheth led Google's speech recognition team.

    Galileo, their new venture, was founded in November 2021, operating under stealth until today's announcement.

    Continue reading
  • Don’t expect to get your data back from the Onyx ransomware group
    The cybercriminals trash files larger than 2MB, forever losing them to the void

    Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid.

    The group behind the Onyx operation is overwriting the data in those files with trash data rather than encrypting it, so the data cannot be recovered via a decryption key. Given that, victims of Onyx ransomware attacks are being urged not to pay the ransom.

    "There's a big problem: as the ransomware they are using is a trash skidware, it's destroying a part of the victims' files," analysts at the Malware Hunter Team wrote in a tweet. "Would say, no company should pay to these idiots as smaller files decryptable, big they can't decrypt, but they are stealing files too."

    Continue reading
  • Fake it until you make it: Can synthetic data help train your AI model?
    Yes and no. It's complicated.

    The saying "data is the new oil," was reportedly coined by British mathematician and marketing whiz Clive Humby in 2006. Humby's remark rings true more now than ever with the rise of deep learning.

    Data is the fuel powering modern AI models; without enough of it the performance of these systems will sputter and fail. And like oil, the resource is scarce and controlled by big businesses. What do you do if you're a small computer vision company? You can turn to fake data to train your models, and if you're lucky it might just work.

    The market for synthetic data generation grew to over $110 million in 2021 and is expected to increase to $1.15 billion by the end of 2027, according to a report published by research firm Cognilytica.

    Continue reading

Biting the hand that feeds IT © 1998–2022