For the second time in less than 18 months, Marriott International has experienced a data breach, the company reported Tuesday. The breach affects up to 5.2 million guests, and the company is emailing all those affected, Marriott said in a statement.
The first incident, announced in November 2018, involved Starwood Hotels & Resorts data. Marriott acquired Starwood in 2016, and it is believed the breach began before the sale was completed. That breach involved the data of up to 339 million guests and resulted in the Information Commissioner's Office issuing Marriott with a £99 million fine.
The information was accessed through an application used by hotels operated and franchised under Marriott brands to provide services to guests. The information compromised included contact details, such as name, mailing address, email address and phone number; loyalty account information, including account number and points balance but not passwords; additional personal details like company, gender, birth day and month; partnerships and affiliations, such as linked airline loyalty programmes and numbers; and preferences, including room and language preferences. Not all guests had all of that information stored in the application.
Marriott said it has "no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs or driver's license numbers".
The company first noticed at the end of February that two franchise employees' login credentials were used to access a larger volume of guest records than normal, but believes the activity started in mid-January, the statement said. The company confirmed that the login credentials were disabled, and it began an investigation, heightened monitoring, began to inform and assist guests, and notified the relevant authorities. The investigation is ongoing.
Marriott has set up a dedicated website and call centre resources with additional information for guests. It also is providing, where available, the option to enroll in IdentityWorks monitoring service free of charge for one year. Guests have until 30 June 2020 to enroll.
Marriott is not the only hotel company to experience a data breach. Prior to being acquired by Marriott, Starwood Hotels & Resorts disclosed in November 2015 that malware had been found on its point-of-sale systems. Hyatt Hotels Corp., Hilton Worldwide and InterContinental Hotels Group also have disclosed their own POS system breaches.