Marriott International, the hotel group that owns global chains including Marriott, St Regis and The Ritz-Carlton, has suffered a major security breach – its second in three years.
The company announced on 31 March that details of up to 5.2 million customers could have been accessed between mid-January and the end of February this year.
In a statement, Marriott said: “Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels.
“At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020.”
The access credentials involved have now been disabled and the hotel group is currently investigating the incident and the extent of the breach.
It said that “although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy (its loyalty scheme) account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”
However, the data breach could have involved contact details (eg name, mailing address, email address, and phone number); loyalty account information (eg account number and points balance, but not passwords); additional personal details (eg company, gender, and birthday day and month); partnerships and affiliations (eg linked airline loyalty programmes and numbers); and preferences (eg stay/room preferences and language preference).
Marriott has already contacted customers involved, and they will be required to reset their passwords, while worried guests can also check whether they were affected via a dedicated portal.
Customers whose data may have been breached are also offered enrolment into IdentityWorks, a personal information monitoring service, free of charge for a year.
The Marriott group has previously experienced another major data breach, which was discovered in 2018.
Up to half a billion customers were affected – the largest breach in history – and some credit card details were affected.