Hotel group Marriott International has reported that it has suffered its third major data breach of the past eight years as hackers gained access to one of its customer databases.
The latest incident in a string of attacks was reported to have happened in June 2022 when an anonymous hacking group used social engineering in order to gain access to an employee’s computer.
The unnamed group reportedly told DataBreaches that they were able to exfiltrate 20 GB of data including “some confidential and proprietary information”.
Marriott spokesperson Melissa Froehlich Flood said in a statement that the company was “aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer”, but that “the threat actor did not gain access to Marriott’s core network”.
Froehlich Flood also stated that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property, and that Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay.
Following the incident, the company is preparing to notify 300-400 individuals, in addition to notifying law enforcement.
Social engineering is an attack vector where hackers will attempt to gain access to data through psychologically manipulating people into breaking usual security procedures. This then allows the bad actors unauthorized access to confidential or sensitive information.
The first data breach, which took place in 2014 but was not detected until 2018, allowed hackers access to customer data including but not limited to names, email addresses, passport information, flight information including arrival and departure times, loyalty program numbers and VIP status.
The hotelier was fined US$15.4m in 2018 for failing to have proper safeguards in place, with an estimated 339 million customers affected by its first data breach. This data breach involved a hacker gaining unauthorized access to a database containing information for over 500 million guests.
The second breach, which affected an estimated 5.2 million people, took place in January 2020.