Cyber Incident Victim: Marriott International
Date:
Jan 2020
Location:
United States of America
Summary
Marriott experienced a significant data breach involving unauthorized access to a franchise hotel's system via compromised employee credentials, leading to the exposure of personal information for approximately 5.2 million guests. The compromised data included names, contact details, birth dates, loyalty program details, and travel-related information such as linked airline loyalty numbers and room preferences, though payment data was not believed to be affected. This incident marked the company's second major breach in three years, following a prior compromise of its subsidiary Starwood's reservation system that impacted hundreds of millions of guests and exposed sensitive records including passport numbers and credit card details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Marriott disclosed a second major data breach on March 31, 2020, involving unauthorized access to personal information of approximately 5.2 million hotel guests. The company detected the intrusion in late February 2020 during a routine security review of an unspecified property system at a franchise-operated location. Investigation revealed attackers had compromised login credentials belonging to two employees at the franchise property, enabling system access beginning in mid-January 2020. The breach exposed guest information including names, physical addresses, phone numbers, Marriott Bonvoy loyalty program details, birth dates, and travel-specific data such as linked airline loyalty program numbers and individual room preferences. Marriott explicitly stated no evidence indicated theft of payment card information or financial data. The company initiated containment measures including disabling compromised credentials, implementing enhanced monitoring systems, and notifying affected guests via email starting March 31, 2020.
This incident occurred less than two years after Marriott's November 2018 disclosure of a separate breach impacting its Starwood Hotels subsidiary's central reservation database. The earlier breach compromised records of 383 million guests, including highly sensitive information such as 5 million unencrypted passport numbers and 8 million encrypted payment card records. European data protection authorities imposed a £99 million ($123 million) fine against Marriott in July 2019 under GDPR regulations for security failures related to the 2018 incident. The recurrence of a significant breach within three years raised concerns about systemic vulnerabilities in Marriott's security infrastructure, particularly regarding franchise property systems and employee credential management. Both breaches involved unauthorized access persisting for extended periods before detection—approximately four weeks in the 2020 incident versus nearly four years in the 2018 Starwood case.