Marriott International has today announced that it has suffered a data breach affecting up to 5.2 million people.

The hotel chain says it uses an application to help provide services to its guests. Beginning mid-January this year, the login credentials of two employees at a franchised property were used to access guest information on this app.

When the breach was discovered at the end of February, Marriott International says it disabled those login credentials and began its investigation.

What data was accessed?

Marriott says it believes the following information “may have been involved” although the entries weren’t there for every guest:

  • Contact details (name, mailing address, email address, and phone number)
  • Loyalty account information (account number and points balance, but not passwords)
  • Additional personal details (company, gender, and birthday day and month)
  • Partnerships and affiliations (linked airline loyalty programs and numbers)
  • Preferences (stay/room preferences and language preference)

Marriott says there is currently no reason to believe the information accessed included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.

Marriott says it informed guests via email, today (31st March), from the address [email protected] It says it’s giving guests the option of accessing a data monitoring service for a year.

What to do

  • Marriott International has set up a self-service portal for you to be able to determine if and what information of yours was accessed. It’s also listed a set of phone numbers you can call on its breach announcement page.
  • If your information was involved, Marriott has disabled your password and you’ll be prompted to enter a new one when you next log in. The company is also recommending you enable two-factor authentication (2FA) on your account, although we couldn’t find the option when we logged in.
  • Stay alert for scams. Criminals like to take advantage of breaches to send phishing emails or spin up fake websites. Don’t click on any links, and verify anything you encounter by heading directly to the official breach website or calling the official call center numbers. Marriott says if it contacts you by email it’ll do so from the [email protected] email address, and won’t send emails with attachments or ones that ask for information.

Sourced from: Anna Brading / Sophos Naked Security Blog