The new data breach exposed the records of about 5.2 million guests in early 2020 when hackers managed to get access to the login credentials of a couple of employees. It appears that the hackers had access to the personal information stored in customer loyalty accounts, including home addresses and phone numbers.
The new Marriott data breach
The only relative silver lining is that this data breach is not as large and damaging as the one the company suffered in 2018, at least based on the early information that is available. That 2018 breach of the company’s Starwood subsidiary leaked information about 383 million guests to include about eight million credit card numbers and five million passport numbers.
Though some sensitive personal data was exposed in this recent breach, right now it does not appear that any payment information or photo identification numbers were exposed. However, the hackers did have access to plenty of information that is useful for fraud: full names, mailing addresses, phone numbers, email addresses, dates of birth, loyalty member account numbers, and any linked loyalty program numbers that members may have transferred points to or from.
The fact that linked loyalty program numbers and room preferences were leaked leads one to wonder if the hackers had access to the contents of loyalty account information to the point of being able to access and transfer user points. Points are as good as currency for a wide range of purposes, and loyalty program accounts have been a frequent target of cyber criminals as of late. Marriott has not clearly stated whether or not loyalty points were compromised, but did state that user passwords were not breached. It would be wise for Marriott rewards members to change their passwords immediately as a precaution, however; it appears that the hackers could at least see the balance of points in each account, which means that Bonvoy members who have stored up rewards could be seeing some special attention in the coming days.
Marriott guests who are impacted by this should have received an email about it from a marriott.com account indicating that their logins had been automatically disabled, and would be prompted to enter a new password with a multi-factor authentication measure upon their next login. Marriott has also said that they will offer all affected members a year of Experian’s IdentityWorks credit monitoring service.
Marriott discovered the breach in mid-February, but believes it took place sometime in early January. It was traced back to two employee accounts at one particular franchise property, which they declined to identify.
The fallout for Marriott?
Marriott was hit with a $123 million fine in the EU as a result of the 2018 data breach. At about 0.5% of the company’s annual revenue that was a substantial fine, but was well short of the maximum possible penalty of 4% under the GDPR.
Given that this recent data breach involved only a fraction of the customer records and no payment information, any fine would likely be substantially smaller. Since the action can apparently be traced back to the credentials of two employees at a specific property, penalties might be limited to that particular locality (wherever it might be).
Though punishment might be trivial under other circumstances, the hotel chain can ill afford any other substantial added expenses given that it projects to lose up to 90% of its revenue in some countries for an unknown number of months. This may hit the company harder in the form of another class action lawsuit, or an addition to the lawsuit over the 2018 data breach (which was just allowed to proceed in a US federal court in February).
ATO attacks steady during travel shutdowns
Perhaps the biggest takeaway from this incident is that attacks on travel companies, and particularly reward programs, are not slowing down even as their business does. Ameet Naik, security evangelist at PerimeterX, has data that any company in the industry should consider: “In the past month we have seen a significant increase in the percentage of ATO traffic to travel and hospitality sites, surging to as high as 80% of all login attempts. This shows that while travelers are staying home, the hackers are still out and about. For enterprises, it is extremely important to use multi-factor authentication for admin accounts, and use bot management solutions to limit automated attacks. For consumers, it is best to use different passwords on every site and to lock down their credit reports.”
A temporary downturn in business doesn’t mean that hackers are any less interested in the trove of personal details, stored payment information and loyalty program points that hotels and travel companies are sitting on. Data breach defense is an extra challenge with resources being stretched so thin, however. Marcus Fowler, Director of Strategic Threat at Darktrace, suggests that companies that might have been fence-sitting on automated defense measures use this as an opportunity to implement them: “Employees need to remain on high alert for targeted phishing campaigns and businesses need to find ways to support their security teams. Technology like AI that can streamline investigations and stop attacks before they can do damage can buy back valuable time for overwhelmed teams.”
And for those that have IT staff that happen to find themselves with relative downtime due to the lack of business, CEO of Cloud Range Cyber Debbie Gordon suggests training simulations: “Ultimately, the only way to prepare for an event – the only protective measure that stands between a threat and an actual breach – is to supply cybersecurity teams simulation exercises designed to help them think critically in order to detect, respond to, and remediate cyber-attacks. These exercises measure their detection and response time preparedness which will reduce dwell time and minimizes risk to any organization. Hackers skills are constantly evolving; but companies can overcome the cyber skills gap by implementing advanced simulation training before threats fully develop and breaches occur.”