International hotel chain Marriott has suffered a fresh data breach, with cybercriminals claiming to have stolen 20 gigabytes of information including personal and credit card details of guests.
The breach is thought to have occurred when an unnamed hacking group managed to trick an employee at one of Marriott’s hotels, the BWI Airport Marriott in Baltimore, to allow them access to the company’s systems in a social engineering attack.
According to DataBreaches, which first reported the attack, the hackers have documents detailing names and other details of guests, as well as credit card information used to make bookings.
Marriott owns and operates more than 8,000 properties around the world. The company confirmed the breach to DataBreaches, but said the information stolen was mostly “non-sensitive business files”. It says it has informed between 300-400 affected parties, as well as relevant data protection watchdogs and law enforcement agencies.
The hackers have reportedly demanded a ransom to release the information back to Marriott, but it is thought the company has not yet paid up.
Marriott data breaches and the rise of social engineering attacks
This is not the first time Marriott has suffered a significant data breach. In 2020 it was fined £18.4m by the UK’s Information Commissioner’s Office for a data breach that impacted up to 339m customers. The ICO had initially threatened to fine the company up to £99m.
This breach started when the Starwood Hotels group suffered a cyberattack in 2014. Starwood which was acquired by Marriott two years later, and the breach went undetected until 2018. The ICO said client names, addresses and passport information were vulnerable. This attack was linked to Chinese state-backed hackers, an allegation which was denied by Beijing.
Two years ago, Marriott saw data on 5.2m customers stolen. The breach, which occurred in January 2020 and was discovered two months later, is thought to have started when criminals gained access to login information from two members of staff at a Marriott hotel operated as a franchise.
Social engineering has been on the rise since the Covid-19 pandemic, with staff working remotely often vulnerable to attacks by criminals who contact them by phone or email purporting to be from their employer. This technique was used successfully by the Lapsus$ hacking gang to gain access to some of the biggest names in tech during its crime spree earlier this year.