Marriott International acknowledged today that personal information for approximately 5.2 million guests might have been accessed using the login credentials for two employees at one of the company's franchise properties. The hospitality company, which began notifying those guests today, has no reason to believe that the information included Marriott Bonvoy account passwords or PINs, driver's license numbers, nor any information from payment cards, passports or national IDs.
The app in question is used by hotel properties operated and franchised under Marriott's brands to provide guest services. The hotel giant flagged the potential breach at the end of February 2020, when it was discovered that an unusual quantity of guest info was being accessed using the login credentials of just two property employees. Marriott immediately disabled those credentials and launched an investigation and ramped up security monitoring. Company investigators believe the unusual activity began in mid-January of this year.
The information that could have been accessed for affected guests includes the following, although not every guest account included all of this data:
- Contact details (such as name, mailing address, email address and phone number);
- Loyalty account information (such as account number and points balance, but not passwords);
- Additional personal details (company, gender, birthday day and month);
- Partnerships and affiliations (linked airline loyalty programs and numbers); and
- Preferences (stay/room preferences and preferred language).
In addition to contacting affected guests via email, Marriott has a dedicated website with call-center numbers and additional details about the breach. Given the relatively brief span of the breach and the type of information accessed, Marriott officials don't believe that total costs related to the incident will be significant. The company does carry cyber insurance and is currently assessing coverage.