Marriott International Inc. is investigating a data breach that exposed up to 5.2 million customers’ personal information, at least the third cyber incident for the hotel giant in the past 18 months.
The company said in a statement on its site Tuesday that some guests’ names, addresses, birthdays, emails, phone numbers and loyalty reward program numbers for both the hotel chain and partner airlines could be compromised. It added that it “currently has no reason to believe” that more sensitive information like passwords, passport information or driver’s license numbers were affected.
The news comes at a devastating moment for Marriott and the broader tourism industry. The Bethesda, Md., firm—the world’s largest hotel company—has furloughed thousands of employees in response to the economic fallout from the coronavirus pandemic.
How the breach revealed on Tuesday transpired is unclear. The data was accessed using login credentials of two employees of a franchised hotel in Russia, spokesman Brendan McManus said in an email. He didn’t say whether the employees are suspected of foul play or if their accounts were compromised.
“Our investigation is ongoing, and it is too premature to comment on that,” Mr. McManus said.
Marriott said in the statement on its website that it noticed an unusual amount of guest data accessed through an in-house app used to track customers’ check-in dates, birthday celebrations and towel preferences. While company officials say they first noticed the uptick in activity in late February, they believe it began in mid-January.
The breach Marriott reported Tuesday is at least its third in the past 18 months. In a letter to the California attorney general in October, the hotel chain said unknown attackers gained access to at least 1,552 company employees’ names, addresses and Social Security numbers through a former vendor that handled official documents such as court orders and subpoenas.
Mr. McManus declined to comment on that breach.
A year earlier, the company revealed a massive hack of the reservation database for its Starwood properties that exposed more than 300 million guests’ data, including sensitive information like passport numbers, payment cards and travel details. Marriott has since faced a class-action lawsuit over the breach, believed to be one of the largest in history.
Governments in Europe and the U.S. rolled out new regulations in recent years to construct guardrails that protect against such privacy violations. The U.K. Information Commissioner’s Office proposed a $124 million fine on Marriott last year in response to the Starwood hack, a penalty that Marriott said at the time it would contest. A spokesperson for the agency said Tuesday that the “regulatory process is ongoing.”
The U.K. watchdog is aware of the breach Marriott announced Tuesday and is in touch with company officials, the spokesperson added.
“If a breach is likely to result in a high risk to people’s rights and freedoms, Marriott should be informing customers as soon as possible, so they can take any steps necessary to protect themselves,” the spokesperson said.
Most regulators understand that even companies as large as Marriott can’t fend off every cyberattack, said Richard Lawson, a partner at law firm Gardner Brewer Martinez-Monfort PA.
“But when you get into multiple breaches, then you’re automatically going to be dealing with intense scrutiny from the regulators,” said Mr. Lawson, a former director of the consumer protection division in the Florida Attorney General’s Office. “The idea being, of course, that this company was on notice, this company had this issue before, and had a visit from us before. And here we are again.”
Mr. McManus reiterated that Marriott is committed to improving its privacy protections. He added that the company is working with its insurers to evaluate costs related to the incident and doesn’t expect them to be significant.
Marriott’s letter to affected guests pointed them to a dedicated website and call center for more information and offered a yearlong enrollment in a data-monitoring service to protect against identity theft. It also warned customers to set up two-factor authentication on their rewards accounts and to be on the lookout for Marriott-related phishing scams.
–James Rundle and Catherine Stupp contributed to this article.
Write to David Uberti at [email protected]
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8