In November 2018, hotel giant Marriott disclosed that it had suffered one of the largest breaches in history. That hack compromised the information of 500 million people who had made a reservation at a Starwood hotel. On Tuesday, Marriott announced that it had once again been hit, with up to 5.2 million guests at risk. Which is a kind of progress, in a way?
The details of this latest hack seem to be not quite as devastating as the last one, too, given that sensitive information like passport numbers doesn’t seem to be affected. Still, that a major company could get hit twice in such a relatively short time frame underscores how at-risk your data is—and how not enough is being done to protect it.
According to details provided by Marriott Tuesday, the intrusion dates back to mid-January, when someone used the credentials of two franchise property employees—whether those credentials were stolen is unclear at this point—to access an “unexpected amount of guest information.” Those data points included contact details like names, email and home addresses, and phone numbers, as well as gender, birthday, frequent flier numbers, loyalty account info, and hotel preferences, like whether you like being near or far from the elevator.
Marriott finally observed the suspicious activity by the end of February, indicating that it persisted for several weeks before getting flagged. Marriott then disabled the credentials, started an investigation, and finally sent out emails on Tuesday to the guests it believes were affected.
While Marriott bears ultimate responsibility, it’s worth noting that both of its recent hacks were arguably indirect attacks. The 2018 breach was specifically against the reservation database of Starwood, which Marriott acquired in 2016. And this more recent one began with a franchisee. “Marriott again demonstrates that companies must secure not only their business but that of their partners, contractors, and franchisees,” says Mark Sangster, vice president of security firm eSentire. “Supply chain is one of the greatest vulnerabilities for companies like Marriott.”
Up to 5.2 million members of the Marriott Bonvoy loyalty program may have had their personal information stolen, although be aware that sometimes those numbers get upwardly revised. If you’re one of them, you should have gotten an email Tuesday from the not-at-all-suspicious-looking address “email@example.com.” To be extra-sure either way, you can also enter your name, email address, and country of residence at this also-totally-not-safe-looking online portal that Marriott has established.
If you’re a victim, Marriott has already changed your Bonvoy account password, so you’ll need to reset it. When you do, it’ll prompt you to enable two-factor authentication to protect your details, which you absolutely should. And if the franchise employee’s credentials were stolen, Marriott’s hopefully applying that same level of heightened security to its own staff as well. The company did not immediately respond to a request for comment.
“Most breaches could simply be prevented with multi-factor authentication,” says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. “For any type of elevated access, organizations should be leveraging enhanced security controls. Multi-factor authentication should be applied for everyone. And for elevated accounts that have high levels of access, the scrutiny on security should be even more extensive.”
If you were affected, Marriott will pay for a year of identity monitoring from IdentityWorks, which is managed by credit reporting company Experian. You have until June 30 of this year to enroll at this site (for US residents; non-US residents have a separate site here); you’ll need an activation code that you can find either in the notification email or Marriott’s new “did my info get hacked” portal.
How Serious Is This?
Based on what we currently know, it’s certainly not as bad as the 2018 breach, which not only comprised especially sensitive information like passport numbers but was also part of state-sponsored Chinese hacking campaign. But don’t let the smaller number of victims and the more mundane information fool you. It’s still pretty bad.
“Loyalty account numbers and history, and traveler preferences, allow criminals to tailor phishing campaigns with individualized schemes that become almost impossible to detect with the naked eye,” says Sangster. (Here are some tips on how to avoid them.) Not to mention that it took Marriott over a month to notify people that their information had been compromised, giving those scammers and hackers a significant head start.