Two years after disclosing one of the larger data breaches ever, Marriott has notified customers of another incident, this one affecting about 5.2 million people.
The breach involved improper access to a software system that Marriott uses as part of its guest services at franchise properties. Company officials said the information compromised during the breach includes names, addresses, email addresses, company affiliations, birth dates, phones numbers, and some details of victims’ Marriott Bonvoy loyalty accounts. Marriott officials said no passwords, payment card, or passport information was affected by the incident.
“Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” the Marriott statement says.
“The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.”
Although Marriott officials said that Bonvoy loyalty account passwords were not part of the information compromised in the breach, the company said it would require Bonvoy members affected by the incident to update their passwords.
“If you are a Marriott Bonvoy member and we have determined that your information was involved: We have disabled your existing Marriott Bonvoy password, so when you log in to your Marriott Bonvoy account at Marriott.com, you will be prompted to change your password. You will also be prompted to enable multi-factor authentication to further protect access to your account,” the Marriott notification says.
Marriott sent email notices today to the affected customers and also has set up a dedicated website through which individuals can check to see whether they’re affected. That portal requires people to go through a three-step process to confirm their email addresses and then check the results of their inquiries.
This most recent incident, affecting as many as 5.2 million people, pales in comparison to Marriott’s 2018 breach, which affected more than 500 million customers around the world. That breach was the result of a deep intrusion into the company’s systems and included the theft of a broad range of personal information, including passport numbers and payment card data in some cases.
Marriott is still investigating the breach it disclosed today, so the details of the data affected and the number of people involved may change.
“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers,” the company said.