Marriott Hotels admits to third data breach in 4 years

Digital thieves made off with 20GB of internal documents and customer data


Updated Crooks have reportedly made off with 20GB of data from Marriott Hotels, which apparently included credit card info and internal company documents. 

The unnamed crew behind the theft told DataBreaches it broke into a server at the Marriott hotel at Baltimore-Washington International Airport in Maryland late last month.

The group shared screenshots of customer credit card authorization forms, including full card details, and said its members were in communication with Marriott though the hotel chain stopped talking. 

"We were acting like a red hat organization and they just stopped communicating with us," a spokesperson for the gang told DataBreaches.

So-called "red hat hackers" are the less ethical cousins of white hats, the latter of whom often operate with permission from the organizations they target.

Both Marriott and the miscreants said no money was exchanged, though the group did admit cash may have been the reason why communications dried up. It appears the crew asked for some kind of reward or payment following the security breach.

"[Marriott] went silent for no reason, it might be because of the high pricing, but we are always willing to find a deal with our clients and told Marriott that we can provide all the discounts in the world," the thieves told DataBreaches. 

The attackers claim they are an international group that doesn't encrypt the data of their victims because they don't want to interfere with businesses, and they say they don't attack governments or critical infrastructure.  

How'd they get in? Social engineering

According to statements that Marriott made to DataBreaches, the attackers used social engineering to access a single employee's computer. Marriott said they have no evidence the criminals accessed files beyond what the person they tricked had access to, and said they contained the breach within six hours.

Based on documents seen on DataBreaches, some of which were shared in the above-linked post, some of the information stolen was definitely sensitive. Internal business documents were included, while others contained information on hotel guests and staff including corporate card numbers, wage data, personal identifiable information and even a personnel assessment of a staff member at the hotel.

Marriott said it has to notify between 300 and 400 people, both guests and employees, due to the breach.

This data breach is only the latest attack on a Marriott-owned hotel. Most recently, attackers made off with 5.2 million guest records in 2020. A 2018 data leak was even larger, with 383 million booking records, 5.3 million unencrypted passport numbers and tens of millions of encrypted records stolen, too. In the case of the 2018 leak, it was breach of Marriott's Starwood subsidiary's guest reservation network – which it bought in 2016. That leak exposed the entire database – a full 500 million guest bookings over four years, making it one of the biggest breaches of an individual organization ever.

What has Marriott learned from all those breaches? According to the people behind the latest attack, not much. "Their security is very poor, there were no problems taking their data. At least we didn't get access to the whole database, but even the part that we took was full of the critical data," the gang said.

The Register has contacted Marriott to learn more, and we'll update you as needed. ®

Updated at 10.04 UTC on 7 July 2022:

Following publication of this article, a spokesperson at Marriott sent us a statement:

"Marriott International is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate's computer. The threat actor did not gain access to Marriott's core network.

"Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property. The incident was contained to a short period of time. Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay.The company is preparing to notify 300-400 individuals regarding the incident. Marriott has also notified law enforcement and is supporting their investigation."


Other stories you might like

Biting the hand that feeds IT © 1998–2022