Marriott International confirms second major data breach

The group said on Tuesday (31 March) the information was accessed via an application used by hotels operating, and franchised, under the Marriott flag to provide services to hotel guests.

In a statement, Marriott said the suspicious activity is believed to have started in mid-January when it identified an “unexpected amount” of guest information that was being accessed through the login credentials of two employees at a franchise property.

Marriott said these particular login details were disabled upon discovery of the breach, and an investigation launched immediately.

It believes information – including names, mailing addresses, email addresses, phone numbers, loyalty account information, additional personal information and stay preferences – belonging to up to 52 million guests may have been accessed. However, it said not all of this information was present for every guest.

Marriott added that while it was still investigating the matter, it did not believe the information included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s licence numbers.

All affected guests are being emailed and Marriott has set up a dedicated website and call centre resources for affected guests.

The company added it did not believe the total costs arising from the incident “would be significant”.

It comes just nine months after the hotel giant was fined £99 million in the UK after reporting a cyber attack to the Information Commissioner’s Office it discovered in November 2018.