Marriott International Inc. says the impact of the second major data breach it has reported in just 18 months will not be significant, owing to its cyber insurance policy.
But security experts today warned that they feared the hotel was being mined for personal data on officials that could be exploited for intelligence purposes.
The incident, reported March 31, saw the personal data of approximately 5.2 million guests exposed, including names, contact details, and loyalty rewards status.
Marriott International Data Breach: What Happened?
Marriott said: “At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
The data breach comes after the UK’s Information Commissioner’s Office (ICO) in July 2019 said it intended to fine Marriott International over £99 million for infringements of GDPR, after it reported that some 339 million guest records had been stolen, in an incident going back to Marriott’s 2014 acquisition of the Starwood hotels group
(That proposed fine appears to have been kicked into the long grass, with an extension of the regulatory process until 31 March 2020 and legal experts suggesting a significantly lower settlement, like the £500,000 agreed by Facebook, was likely).
Insurance Should Cover the Damages
Marriott International suggested it was relaxed about the economic impact of the recent data breach, noting: “Marriott carries insurance, including cyber insurance, commensurate with its size and the nature of its operations, and the company is working with its insurers to assess coverage. The company does not currently believe that its total costs related to this incident will be significant.”
Casey Ellis, CTO and founder of security firm, Bugcrowd, said the incident was troubling. He said: “Like the OPM, Anthem, Dulles and the 2018 Marriott breach, this breach is just another in a long string of attacks targeting US officials.
“Think about it, officials from the NSA, CIA, FBI, DoD stay at Marriott hotels, including possibly diplomats, business people or intelligence officials as they travel around the globe. The FBI’s investigation into the 2018 Marriott Breach concluded that the attackers were working on behalf of the Chinese Ministry of State Security–alarm bells should be going off.
He added: “The hospitality industry continues to demonstrate a greater need for stronger security measures – especially since this is the second security incident affecting Marriott in the past two years.
“This attack emphasizes the need for the hospitality industry to take security seriously. Hotels collect more private personal information than most enterprise organizations (birthdays, passport numbers, email and mailing addresses, and phone numbers). Cybercriminals know what types of organizations collect troves of sensitive data, and given the amount of valuable information at hand, hospitality organizations can no longer afford to ignore their vulnerabilities.”