The Marriott Hotel Group has announced that it has been hit by a third data breach in just over two years, this time involving the private data of up to 5.2m guests.
The hotel group that manages Marriott Hotel, Starwood Hotels issued a public statement that uses an application to help provide services to its guests. However from the middle of January this year, the login details of two staff members at a franchised property were used to access guest information on this app. They have not publicly stated which chain of hotels was to blame for the attack. Starwood Hotels operates 11 hotel brands including 1,297 properties comprising 370,000 hotel rooms in around 100 countries worldwide.
At the beginning of March the data breach was discovered and access to the compromised accounts was quickly turned off and an official review into the breach was begun.
A spokesperson for the hotel chain said that an “unexpected amount of guest information may have been accessed”. It went on to add that there is no indication that passwords, PINs, payment card information, passport information or national IDs were obtained as part of the breach.
However, a range of other information that was accessible during the breach incorporates contact details, loyalty account information, partnerships and affiliations, hotel preferences and other personal information.
Marriott has created a self-service portal for guests to check whether or not their information was involved in this and what information may have been accessed. Along with this the group has also established call centres to assist guests and is offering a year free subscription to a privacy monitoring servicE to any customers that may have been impacted by the private data breach.
Passwords have already been turned off on impacted accounts and Marriott is asking that guests visit their account portal, set a new password and enable two-factor authentication. Guests should also keep a close eye on all of their account for anything that might be look unusual or unexplainable usual activity. If anything is noticed then it should be reported at once.
The group could how be sanction with e a range of different fines and penalties unders legislation in such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Brendan McManus Global Corporate/Financial Communications and Executive Positioning for Marriott International “Our investigation is still open, and it is too early to comment.”