Cyber Incident Victim: Marriott International

On September 4, 2019, Marriott International became aware of unauthorized access to sensitive associate information stored on the network of an unnamed external vendor. This vendor had previously acted as Marriott’s agent for receiving official legal documents, including subpoenas and court papers. An unknown individual accessed these documents, which contained associates’ Social Security Numbers (SSNs). The vendor was already investigating the incident with a forensics firm when Marriott learned of the breach, and law enforcement had been notified. Marriott confirmed that the exposed data related to official documents sent to the vendor and that the information was “accessed or accessible” during the event. The company did not disclose technical details of how the unauthorized access occurred. At least 1,552 associates were impacted, though the vendor’s initial list of affected individuals lacked addresses for most, complicating notification efforts.

Marriott began mailing breach notifications to impacted associates on October 30, 2019—nearly two months after discovery—as addresses were identified. Peggy Hassinger, Vice President of Associate Relations, signed the notification letters, which confirmed the exposure of SSNs and offered one year of free credit monitoring and identity theft protection through Experian’s IdentityWorks Credit 3B. The vendor had ceased working with Marriott prior to the incident and subsequently deleted all Marriott-related data from its systems. Marriott continued efforts to locate addresses for a small number of remaining associates. The incident was notably smaller in scale than Marriott’s 2018 breach of a Starwood guest reservation database, which exposed 383 million records—including 5.25 million unencrypted passport numbers—due to unauthorized access dating back to 2014, prior to Marriott’s acquisition of Starwood. No evidence suggested operational systems or guest data were compromised in the 2019 vendor incident.