In November 2018, Marriott International suffered one of the largest data breaches of all times. At the time the breach occurred, the number of records stolen was believed to be 500, a figure that was later lowered to 339 million, still a considerable amount of personal data.
The personal information stolen in this breach was compromised by an unauthorized third party, who had been able to access the data of clients registered in the company’s network since 2014. The information copied by the cybercriminal included “a combination” of name, home address, telephone number, email address, passport number, account information, date of birth, gender, and hotel check-in and check-out data. Some records also included encrypted payment card information.
As a result of this data breach, in July 2019, the ICO, the UK data protection authority, proposed a fine of £99 million (€110,385,736) under the GDPR for the hotel chain. However, as Privacy Affairs explains, this fine is not yet definitive, and the final amount may vary significantly.
A new data breach at Marriott International
Now, to make matters worse, towards the end of March, Marriott International announced that it had suffered another data breach. This incident was detected in mid-February, and the personal information of some 5.2 million guests of the hotel chain are believe to have been affected.
The company released a statement explaining that, “At the end of February 2020, we noticed that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.”
“We believe this activity started in mid-January 2020. Upon discovery, we immediately ensured the login credentials were disabled, began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
The leaked information
Investigations into the breach are ongoing, but Marriott says that there is no “reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”
The company has explained that the leaked information includes names, home and email addresses, phone numbers, dates of birth and information about guests’ preferences in hotels.
To assist those affected by the breach, Marriott has set up a portal where they can determine if their information was involved in the breach, and what categories of data were affected. Passwords for Marriott Bonvoy accounts that may have been affected have been reset. What’s more, the next time those accounts are used, their owners will be prompted to enable multi-factor authentication. The company is also offering those affected a one-year subscription to a personal data monitoring service.
Since it came into force in May 2018, over 250 organizations have been sanctioned under the GDPR. The fine that Marriott received last year is the second highest to date, the record being held by British Airways: The ICO proposed a fine of £183 million (€204,600,000) for the airline. 2019 was the year of the multimillion-euro fine under the European regulations. six companies received fines of over one million euros for non-compliance with the GDPR.
How to avoid data breaches
This data breach demonstrates the importance of having rigorous control over the credentials of the accounts we use. Passwords must be robust, and it is important to change them regularly. Furthermore, although it is not entirely infallible, it is a good idea to use multi-factor authentication to add another layer of protection to accounts.
Another important measure to protect the personal data stored in your company is to have comprehensive control over it. To achieve this, Panda Adaptive Defense has an additional module, Panda Data Control. Data Control discovers, audits, and monitors unstructured personal data on computers: from data at rest, to data in use, and data in motion. This way, if someone tries to perform any action on this personal data, or tries to steal it, you will receive a notification.
After its 2018 data breach, Marriott will have increased its security measures to deal with and prevent the loss of personal information. However, this second data breach makes it very clear that only the strictest measures are sufficient for avoiding this kind of incident.