In November 2018, hotel giant Marriott disclosed that it had suffered one of the largest breaches in history. That hack compromised the information of 500 million people who had made a reservation at a Starwood hotel. On Tuesday, Marriott announced that it had once again been hit, with up to 5.2 million guests at risk. Which is a kind of progress, in a way?
The details of this latest hack seem to be not quite as devastating as the last one, too, given that sensitive information like passport numbers doesn't seem to be affected. Still, that a major company could get hit twice in such a relatively short time frame underscores how at-risk your data is—and how not enough is being done to protect it.
According to details provided by Marriott on Tuesday, the intrusion dates back to mid-January, when someone used the credentials of two franchise property employees—whether those credentials were stolen is unclear at this point—to access an "unexpected amount of guest information." Those data points included contact details like names, email and home addresses, and phone numbers, as well as gender, birthday, frequent flier numbers, loyalty account info, and hotel preferences, like whether you like being near or far from the elevator.
Marriott finally observed the suspicious activity by the end of February, indicating that it persisted for several weeks before getting flagged. Marriott then disabled the credentials, started an investigation, and finally sent out emails on Tuesday to the guests it believes were affected.
While Marriott bears ultimate responsibility, it's worth noting that both of its recent hacks were arguably indirect attacks. The 2018 breach was specifically against the reservation database of Starwood, which Marriott acquired in 2016. And this more recent one began with a franchisee. "Marriott again demonstrates that companies must secure not only their business but that of their partners, contractors, and franchisees," says Mark Sangster, vice president of security firm eSentire. "Supply chain is one of the greatest vulnerabilities for companies like Marriott."
Up to 5.2 million members of the Marriott Bonvoy loyalty program may have had their personal information stolen, although be aware that sometimes those numbers get upwardly revised. If you're one of them, you should have gotten an email Tuesday from the not-at-all-suspicious-looking address "marriott@email-marriott.com." To be extra sure either way, you can also enter your name, email address, and country of residence at this also-totally-not-safe-looking online portal that Marriott has established.
If you're a victim, Marriott has already changed your Bonvoy account password, so you'll need to reset it. When you do, it'll prompt you to enable two-factor authentication to protect your details, which you absolutely should. And if the franchise employee's credentials were stolen, Marriott's hopefully applying that same level of heightened security to its own staff as well. The company did not immediately respond to a request for comment.
"Most breaches could simply be prevented with multifactor authentication," says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. "For any type of elevated access, organizations should be leveraging enhanced security controls. Multifactor authentication should be applied for everyone. And for elevated accounts that have high levels of access, the scrutiny on security should be even more extensive."
For US residents affected, Marriott will pay for a year of identity monitoring from IdentityWorks, which is managed by the credit-reporting company Experian. You have until June 30 of this year to enroll at this site. (Non-US residents have a separate site here.) You'll need an activation code that you can find either in the notification email or Marriott's new "Did my info get hacked" portal.
Based on what we currently know, it's certainly not as bad as the 2018 breach, which not only comprised especially sensitive information like passport numbers but was also part of state-sponsored Chinese hacking campaign. But don't let the smaller number of victims and the more mundane information fool you. It's still pretty bad.
"Loyalty account numbers and history, and traveler preferences, allow criminals to tailor phishing campaigns with individualized schemes that become almost impossible to detect with the naked eye," says Sangster. (Here are some tips on how to avoid them.) Not to mention that it took Marriott over a month to notify people that their information had been compromised, giving those scammers and hackers a significant head start.
There's also the matter of Marriott's overall security posture, especially given that it had suffered such a high-profile incident so recently. "There are outstanding questions about the security of Marriott's APIs and how hotels are allowed to access them," Rusty Carter, vice president at security firm Arxan Technologies says. "In the same way that a store manager balances the register each day, companies in possession of customers' personal data should verify access to individuals' information and be able to quickly identify anomalies."
Marriott isn't the first company to get hacked multiple times, even at this scale. (Yahoo takes the crown, with separate hacks of 500 million and 3 billion users, respectively.) But the hotel chain's troubles are a reminder that repeat breaches are less like lightning striking twice than a carousel making another round.
- The mom who took on Purdue Pharma for its OxyContin marketing
- A critical internet safeguard is running out of time
- Covid-19 is bad for the auto industry—and even worse for EVs
- Going the distance (and beyond) to catch marathon cheaters
- Uncanny portraits of perfectly symmetrical pets
- 👁 Why can't AI grasp cause and effect? Plus: Get the latest AI news
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
