The hotel group said that contact details, loyalty account information and other personal details may have been exposed in the breach.
On Tuesday (31 March), the Marriott hotel chain announced that it had suffered another data breach, discovered at the end of February 2020.
This comes less than a year after the UK data protection authority fined the hotel group more than £99m following a breach of the company’s Starwood guest database. In the previous data breach, as many as 383m guest records were compromised.
In its latest incident notification, Marriott said it identified that an “unexpected amount of guest information may have been accessed” using the login credentials of two employees at a franchise property, starting in mid-January.
The hotel group said that these credentials were disabled and an investigation was started, but added that information related to “up to approximately 5.2m guests” may have been exposed.
What data was accessed?
The hotel group does not believe that passwords, PINs, payment card information, passport information or national IDs were accessed.
However, it said that contact details, loyalty account information, partnerships and affiliations, hotel preferences and other personal details may have been accessed. Personal details include company names, gender and birth dates.
The company has set up a self-service portal for guests to check whether or not their information was involved in the incident and, if so, what categories of information may have been involved.
Marriott has also set up call centres for guests to get more information. Additionally, the company is offering those affected the option to enrol in a personal information monitoring service for free for one year.
Marriott’s last data breach
The last time Marriott was in the news for a data breach, it was after the hotel chain discovered that data was exposed from a database it acquired when it bought the Starwood brand, which includes Westin Hotels, St Regis, Sheraton Hotels and W Hotels.
The company disclosed the breach in January 2019, suggesting that around 383m guest records were compromised, but adding that it was difficult to determine the exact number “due to the nature of the database”.
At the time, Marriott said more than 5m unencrypted passport numbers and millions of encrypted payment cards were accessed during the breach, which was discovered in 2018. Marriott acquired Starwood in 2016.
When the company was fined for the breach last year, UK information commissioner Elizabeth Denham said: “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.
“If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”