For the second time in less than 18 months, Marriott International has experienced a data breach, the company reported Tuesday. The breach affects up to 5.2 million guests, and the company is emailing all those affected, Marriott said in a statement. The first incident, announced in November 2018, involved Starwood Hotels & Resorts data. Marriott acquired Starwood in 2016.
The information was accessed through an application used by hotels operated and franchised under Marriott brands to provide services to guests. The information compromised included contact details, such as name, mailing address, email address and phone number; loyalty account information, including account number and points balance but not passwords; additional personal details like company, gender, birth day and month; partnerships and affiliations, such as linked airline loyalty programs and numbers; and preferences, including room and language preferences. Not all guests had all of that information stored in the application.
Marriott said it has "no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs or driver's license numbers."
The company first noticed at the end of February that two franchise employees' login credentials were used to access a larger volume of guest records than normal, but believes the activity started in mid-January, the statement said. The company confirmed that the login credentials were disabled, and it began an investigation, heightened monitoring, began to inform and assist guests, and notified the relevant authorities. The investigation is ongoing.
Marriott has set up a dedicated website and call center resources with additional information for guests. It also is providing, where available, the option to enroll in IdentityWorks monitoring service free of charge for one year. Guests have until June 30, 2020, to enroll.
Marriott is not the only hotel company to experience a data breach. Prior to being acquired by Marriott, Starwood Hotels & Resorts disclosed in November 2015 that malware had been found on its point-of-sale systems. Hyatt Hotels Corp., Hilton Worldwide and InterContinental Hotels Group also have disclosed their own POS system breaches.