Marriott International has sadly had to admit that it has suffered a second data breach following the earlier admission in 2018. According to an incident notification published on their website, the company spotted unusual activity occurring in an app that guests use to access services during their stay.
An investigation into the activity revealed that the login credentials of two Marriott employees had been used to access “an unexpected amount” of guest information. Marriott said guest data that may have been compromised in the breach included contact details, loyalty account information, personal details such as birth dates, and information concerning linked partnerships and affiliations like airline loyalty programs.
Precisely what information was accessed varied from guest to guest, but in some cases email addresses, phone numbers, and employer details were exposed.
Marriott said: “At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020.”
While the investigation into the data breach is ongoing, Marriott said that “we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”
On March 31, 2020, Marriott sent emails about the incident to guests involved. The hotel chain has offered guests affected by the incident a year’s worth of personal information monitoring from IdentityWorks free of charge.
Marriott said: “We have also set up a self-service online portal for guests to be able to determine whether their information was involved in the incident and, if so, what categories of information were involved.”
This latest data breach has affected approximately 5.2 million Marriott guests. The hotel chain has advised Marriott Bonvoy account holders to change account passwords and to monitor their accounts for suspicious activity.