Marriott International Data Breach due to Human Error
Marriott International recently suffered its third publicly acknowledged data breach in four years. The incident has been accepted after databreaches.net reported an unnamed threat actor that has claimed to have stolen 20 gigabytes worth of sensitive data. Marriott claims that the incident was quickly contained, and potential exposure was limited to only 400 individuals.
Through an investigation, it was found that the threat actor used "social engineering" to trick an associate of a single Marriott hotel into providing access to the organization's computer. The threat actor's probing was limited to only the information provided within the single hotel and could not gain access to the Marriott's core network. The information that is accessed includes non-sensitive internal business files that regard the operation of the business. The company successfully detected and responded to the threat before the threat actor could resort to an extortion attempt.
The unnamed actor claiming to be responsible for the threat has revealed that the information accessed includes:
- • Documents containing personal information.
- • Airline flight crews' names.
- • Corporate credit card information.
- • The BWI (Baltimore/Washington International) Airport Marriott property room numbers.
Marriott states that no such information was accessed but had taken action to notify law enforcement for further information.
The last time Marriot mentioned "cyber security" in its earning call was late in mid-2019. This is a concerning fact in Marriott's role in cybersecurity governance. A filing reported in 2021 with the Securities and Exchange Commission states that Marriott had spent nearly $16 million to recover from the 2018 data breach.
About the Author
Ruben George