Marriott confirms data breach impacting up to 5.2 million people

The company has notified guests whose information was compromised in the incident

Marriott International disclosed on Tuesday a second data breach in three years, which may have leaked personal details of up to 5.2 million guests.

The company believes the breach likely started in mid-January, although it came to notice of the Marriott's IT security team only in late February.

According to the company, the incident involved an application used by its hotels to provide services to guests. The hackers obtained the login credentials of two employees at a franchise property, and then used the access to steal the personal information of up to 5.2 million guests from Marriott's systems.

Marriott says that after spotting the data breach, it started an investigation and also notified its customers. The company warned that customer names, phone numbers, addresses, date of birth, loyalty member data, and other travel details - such as room preferences and linked airline loyalty numbers - were likely compromised in the breach.

The company stresses that while the investigation is on-going, it has "no reason" to believe that hackers were able to steal financial details, such as payment card numbers or passport numbers, or account passwords for Marriott's Bonvoy rewards programme from its systems.

Marriott has disabled the accounts of all affected Marriott Bonvoy members, and those members are being asked to enable multi-factor authentication to protect their account from hackers in future.

The company has also set up a dedicated website to help the customers to see if their information was compromised in the incident.

"Marriott carries insurance, including cyber insurance, commensurate with its size and the nature of its operations, and the company is working with its insurers to assess coverage," Marriott said.

"The company does not currently believe that its total costs related to this incident will be significant."

This is, however, not the first data breach involving Marriott.

In November 2018, Marriott had announced that the names, passport numbers, addresses, and contact details of its customers were illegally accessed from Starwood Hotels reservation system. The breach likely started in 2014, the company believed, and impacted up to 500 million people.

Last year in July, UK's Information Commissioner's Office (ICO) announced its intention to impose a fine on Marriott under the European Union's General Data Protection Regulation (GDPR) for data breach.

The ICO claimed that Marriott failed to take timely steps to secure its systems after buying Starwood in 2016. Following the ICO's announcement, Marriott said that it would contest the ruling.