Marriott International Inc. has suffered yet another data breach, the second time the hotel chain has had data stolen this year.
First reported by DataBreaches.net, an unnamed hacking group claimed to have stolen roughly 20 GB of data. The data, including credit card information and personally identifiable information on guests and workers, was stolen from an employee at the BWI Airport Marriott in Baltimore.
Marriott has confirmed the data breach, saying that while some data had been infiltrated, the incident was less significant than the hackers had described it, with only non-sensitive internal business files being stolen. The attack vector involved the hackers tricking a Marriott associate into giving access to their computer through social engineering.
The hacking group also demanded a ransom payment from Marriott to not release the stolen data, but the ransom was not paid. The amount demanded by the hackers was not disclosed but was described by them as being high.
Marriott claims that it had identified the incident before being contacted by the hackers and contained it within six hours. The hotel chain is informing approximately 300-400 individuals who may have been affected and has also informed regulators and law enforcement.
They say lightning never strikes the same place twice, but regarding data breaches, Marriott has now achieved a rare hattrick.
Marriott was hacked via its Starwood subsidiary in 2014 but the hack was only discovered and reported in November 2018. That hack involved the theft of data relating to some 500 million customers and was later linked to Chinese state-sponsored hackers, a claim the Chinese government denied.
Forward to March and Marriott was founded to have suffered yet another data breach that is believed to have involved data theft from mid-January. The data stolen in this case included the personal information of some 5.2 million guests and is believed to have been accessed by an unknown third party using the login credentials of two employees at a group hotel operated as a franchise.
“Threat actors continue to use proven social engineering techniques to gain access to systems and it appears that a major international hotel chain is the latest victim in this technique,” Tom Garrubba, director of third-party risk management at security solutions provider Echelon LP, told SiliconANGLE. “As an organization’s security team continues to educate end-users on ways to identify phishing and other cyber threats, this latest report emphasizes the continued danger of social-engineering exploitations particularly as employees have begun a mass return to the office.”
Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4 Inc., commented that “organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training.”
“Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct to put these types of attacks,” Grimes added.