Cyber Incident Victim: Marriott International

In May 2022, Marriott International experienced a security breach at its BWI Airport Marriott property in Maryland. An unnamed threat actor group, referred to as "GNN" (Group with No Name), gained access to the hotel's systems through social engineering tactics that deceived one hotel associate into providing computer access. The attackers exfiltrated approximately 20 GB of data, which included internal business documents, proprietary operational manuals, personnel assessments, and sensitive guest information. Among the compromised records were airline crew reservation forms containing first initials, last names, flight numbers, room assignments, and corporate credit card details with CVV codes and expiration dates. GNN claimed the breach occurred without significant resistance, criticizing Marriott's security measures as "very poor" and emphasizing the value of the stolen "critical data," though they acknowledged not accessing Marriott's entire database. The group contacted Marriott employees via email about the breach, initially receiving responses before communications ceased. GNN portrayed themselves as a professional entity operating internationally for five years, asserting they avoided media attention by maintaining confidentiality in previous operations.

Marriott confirmed the incident after being contacted by DataBreaches.net on June 28, 2022, stating they had already identified and contained the breach within six hours before GNN's outreach. The company maintained that the threat actor's access was limited to files available to the compromised associate, with no evidence of broader system infiltration. Marriott engaged external legal counsel at BakerHostetler and notified law enforcement, pledging cooperation with investigations. The organization estimated that 300–400 individuals required notification due to exposed personal information, though it did not specify whether affected parties were primarily guests, employees, or both. Internal documents reviewed by DataBreaches.net included a personnel evaluation of a BWIA Marriott event supervisor and operational guides for labor management systems, some of which appeared outdated. Marriott did not disclose whether it received or negotiated ransom demands, while GNN implied discussions had occurred but collapsed due to "high pricing." The company did not publicly detail remediation steps such as employee retraining, though the breach's containment suggested immediate access revocation. This incident marked Marriott's seventh publicly reported security event since 2010, following prior breaches involving vendor compromises, credential theft, and the massive 2014 Starwood intrusion discovered post-acquisition.