
Hotel giant Marriott International confirmed it was hit by another data breach after an unknown threat actor breached one of its properties and stole 20GB of files.
The attackers could only breach one of the chain's properties, BWI Airport Marriott, and only had access to its network for a limited time.
"This incident only involved one property. The threat actor did not gain access to Marriott's core network. The access to one device at the property involved only lasted for approximately six hours," a Marriott spokesperson told BleepingComputer.
"The threat actor used social engineering to trick one associate at a single Marriott hotel into providing access to the associate's computer. The threat actor did not impersonate any Marriott vendor."
Data breach affected 300-400 individuals
While the company did not share any info on the stolen data with BleepingComputer, it told DataBreaches (who first reported the incident) that the 20GB worth of documents stolen during the breach contained non-sensitive internal business files and some credit card information.
However, Marriott is yet to share if the threat actor exfiltrated info belonging to the hotel's guests, its employees, or both.
The attackers also attempted to extort Marriot under the threat of leaking the stolen files online. Still, the hotel group told BleepingComputer that it "did not make any payment or provide anything to the threat actor."
Marriott said that it notified the FBI and hired a third-party security firm to investigate the incident.
The hotel giant added that it would notify relevant data regulators and roughly 300-400 individuals affected by this data breach.
Third data breach disclosed since 2018
This is the third data breach Marriott has confirmed since 2018 after exposing the personal information of 5.2 million hotel guests (including contact and personal details) in a data breach it disclosed in 2020.
The company also announced in November 2018 that its Starwood Hotels guest reservation database containing info on hundreds of millions of guests was hacked.
Marriott discovered the incident two years after Starwood's acquisition and said the information stolen in the incident included guests' names, personal info, addresses, unencrypted passport numbers, and AES-128-encrypted payment information.
As Marriott added at the time, signs of unauthorized access were detected as far back as 2014, compromising the personal info of roughly 339 million guest records globally.
The UK Information Commissioner's Office (ICO) fined Marriott International £14.4 million (approximately $24 million) for infringing the General Data Protection Regulation (GDPR).
Comments
crakpot - 10 months ago
Not surprised. Most hotels have publicly accessible RJ45 connections, from the guest services area, conference rooms, breakfast bar, etc. On top of that the management companies tend to hire the cheapest IT services in that area to manage the hotels network. This coupled with lack of knowledge from the staff and high turnover rates doesn't help. Most all of these networks are on a single broadcast domain or have zero/poor vlan configurations. (Side note, most hotels have very poor or nonfunctioning camera systems.) For example, a working network port in a public area has access to the back office network along with access to the brands VPN and HQ network.
Whether it be from a social engineering attack or just plugging into the network jack at the guest services both, the person would have access to all internal data. - Worked at a REIT for 10+ years.