Hotel group Marriott International has reported that it has suffered its third major data breach of the past eight years as hackers gained access to one of its customer databases.
The latest incident in a string of attacks was reported to have happened in June 2022 when an anonymous hacking group used social engineering in order to gain access to an employee’s computer.
Marriott spokesperson Melissa Froehlich Flood said in a statement to technology publication TechCrunch that the company was “aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer”, but that “the threat actor did not gain access to Marriott’s core network”.
Social engineering is an attack vector where hackers will attempt to gain access to data through psychologically manipulating people into breaking usual security procedures. This then allows the bad actors unauthorized access to confidential or sensitive information.
The National Cyber Security Council (NCSC) said in a statement on its website that the database the hackers gained unauthorized access contains information on up to approximately 500 million guests.
The first data breach, which took place in 2014 but was not detected until 2018, allowed hackers access to customer data including but not limited to names, email addresses, passport information, flight information including arrival and departure times, loyalty program numbers and VIP status.
The hotelier was fined US$15.4m in 2018 for failing to have proper safeguards in place, with an estimated 339 million customers affected by its first data breach.
The second breach, which affected an estimated 5.2 million people, took place in January 2020.
A spokesperson for the NCSC recommended that those who think they may have been affected by the breach look on the NCSC website for advice on targeted emails and suspicious phone calls and targeted emails that can follow a data breach.
They also recommended that those affected remain “vigilant against any suspicious activity on their bank accounts and credit cards and contact their financial provider if they have concerns.”