In a Tuesday statement on its website, the company said that it discovered in late February that up to 5.2 million guests’ names, addresses, birthdays, email addresses, phone numbers and loyalty reward program numbers for the hotel chain and partner airlines may have been compromised, also noting that it “currently has no reason to believe” that passwords, passport information or driver’s license numbers were compromised.
The hotel giant did not reveal at which property the breach took place. However, it did specify that the incident occurred at a franchised hotel in Russia, where the hackers got access to the login credentials of two employees sometime during mid-January.
In a statement to the Wall Street Journal, Marriott spokesperson Brendan McManus did not specify whether the two employees are suspected of being complicit in the breach.
“Our investigation is ongoing, and it is too premature to comment on that,” McManus noted.
In October 2019, the hotel chain revealed that unknown hackers had obtained the names, addresses and social security numbers of at least 1,553 company employees through a vendor that “handled official documents such as court orders and subpoenas.”
In November 2018, a subsidiary of Marriott named Starwood revealed that more than 300 million guests’ data was exposed through a hack of the hotel company’s reservation database. Leaked information included passport numbers, payments cards and travel details. Marriot was forced to pay a $123 million fine to the UK Information Commissioner’s Office, since the breach affected around 30 million European Union residents.
A spokesperson for the UK Information Commissioner’s Office revealed Tuesday that the body is aware of the most recent breach.
“If a breach is likely to result in a high risk to people’s rights and freedoms, Marriott should be informing customers as soon as possible, so they can take any steps necessary to protect themselves,” the spokesperson said, the Wall Street Journal reported.
According to Richard Lawson, a partner at the law firm Gardner Brewer Martinez-Monfort PA, large companies can’t always prevent cyberattacks, but the repeated breaches of Marriott data could cause concern among government officials.
“But when you get into multiple breaches, then you’re automatically going to be dealing with intense scrutiny from the regulators,” Lawson told the Wall Street Journal. “The idea being, of course, that this company was on notice, this company had this issue before, and had a visit from us before. And here we are again.”