Hotel giant Marriott suffers another data breach

Hotel group Marriott International has fallen victim to a yet another data breach, with hackers responsible claiming to have stolen 20 gigabytes of sensitive data, including the credit card details of the customers.

According to a report from DataBreaches, the incident took place in June of this year when an anonymous hacking gang stole was able to steal confidential data from a server at a BWI Airport Marriot in Maryland, USA (BWIA).

The information stolen allegedly included credit card numbers, proprietary data, and personally identifiable information (PII) on flight crews that had reservations at the hotel.

Redacted sample documents published by DataBreaches appear to show credit card authorisation forms, which would offer an attacker all the information necessary to conduct fraudulent transactions with a victim’s card.

The group said they deceived a Marriott hotel staff in Maryland using social engineering techniques.

“We are the ones who organised this leak and they were communicating with us,” a member of the hacker group told DataBreaches.

“We were acting like a RedHat organization and they just stopped communicating with us.”

The threat actor claimed to be a long-established group that had, up until this point, avoided extensive media attention.

According to the attackers, Marriott’s security was “very poor” and that they had little trouble extracting the data from the company’s systems.

Melissa Froehlich Flood, a representative for the business, told The Verge that the company is aware of a threat actor who employed social engineering to mislead one associate at a single Marriott hotel into giving access to their system.

Prior to disclosing the attack, the threat actor sought to blackmail the hotel chain with the data, but Marriott declined to pay.

Although Marriott was originally in contact with the hackers, in the end they ignored their requests.

According to Marriott, there is no evidence that the threat actor had access to anything but the data that were available to this one employee.

Despite this, Marriott says it will be notifying nearly 300-400 people whose personal information was compromised as a result of the hack. The majority of these individuals were formerly employed by Marriott.

In addition, the relevant law enforcement authorities have been informed.

Commenting on the latest data breach impacting Marriott, Steve Moore, chief security strategist, Exabeam, said: “According to the unnamed group that claimed responsibility for this attack, their ‘patient zero’ was tricked into providing access to the computer on Marriott’s network – this is common and often defeats even the best security controls. Even with social engineering, there’s typically a short list of methods employed by the adversary post-contact. Therefore, defenders must focus on the truths of what comes next – credential theft and misuse, along with deviant behaviour.”

The group is as yet unnamed, but according to Moore appears to be disciplined and measured in its actions, meaning it is probably not new (it claims to have been operating for five years) but prefers to operate under the radar.

This is not the first data leak that Marriott has experienced.

In 2014, hackers breached the hotel chain and gained access to the guest data of millions of customers worldwide.

The incident was not discovered until September 2018, which resulted in a fine of £18.4 million from the Information Commissioner’s Office in the UK.

Marriott said in November 2018 that an unidentified group of attackers had accessed the names, addresses, passport numbers and contact details of customers from its Starwood Hotels reservation system.

In April 2020, Marriott disclosed a second data breach that involved an application the chain used to provide services to guests. The hackers obtained the login credentials of two employees at a franchise property, and then used the access to steal the personal information of up to 5.2 million guests from Marriott’s systems.


Leave a Reply

Your email address will not be published.

Back to top