Cyber Incident Victim: Marriott International
Date:
Jun 2022
Location:
United States of America
Summary
A cybersecurity incident at BWI Airport Marriott involved unauthorized access to an associate's computer through social engineering, enabling threat actors to exfiltrate approximately 20 GB of data. The compromised information included internal business documents, proprietary operational details, and sensitive guest and employee records such as flight crew reservations with corporate credit card details (including CVV and expiration dates) and personnel assessments. The organization confirmed the breach, notified 300-400 affected individuals, engaged law enforcement, and stated no ransom was paid. The threat actor, an unnamed group, criticized the hotel's security measures but acknowledged limited access compared to broader database exposure. The incident was reportedly contained within hours of detection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 28, 2022, an unnamed threat actor group designated as "GNN" by DataBreaches.net claimed responsibility for breaching the BWI Airport Marriott (BWIA) in Maryland. The group stated they had infiltrated the hotel's systems approximately one month prior, exfiltrating approximately 20 GB of data. GNN contacted DataBreaches.net with samples of the stolen information, which included internal business documents and guest records. Analysis of these samples indicated the compromised data originated from BWIA's systems, a claim GNN later confirmed. Marriott acknowledged the incident after being contacted by DataBreaches.net, attributing the breach to a successful social engineering attack against a single hotel associate that granted the threat actors access to that employee’s computer. The company asserted the attacker’s access was limited to files available to that associate and contained the incident within six hours of detection, though the exact discovery timeline remains unspecified.
The exfiltrated data comprised non-sensitive internal business files, such as labor management platform access procedures and personnel performance evaluations, alongside sensitive guest and employee information. Specific compromised guest records included airline crew reservation details containing first initials, last names, flight numbers, assigned room numbers, and corporate credit card information—including full card numbers, CVV codes, and expiration dates. Marriott confirmed plans to notify approximately 300-400 affected individuals and relevant regulators, though the composition of this group (guests versus employees) was not disclosed. Law enforcement was engaged, with Marriott supporting the investigation. GNN claimed to have communicated extortion demands to Marriott, offering negotiated discounts, but stated Marriott ceased correspondence abruptly. Marriott confirmed no ransom was paid and maintained the incident’s scope was narrower than GNN described. The threat actor criticized Marriott’s security posture as inadequate but did not contest the company’s characterization of the breach’s limited access vector or containment timeline.