Marriott Plays Down 20GB Data Breach

Cybersecurity at Marriott International is under scrutiny once again this week after hackers reportedly stole 20GB of data from one of its hotels in the US.

The hotel giant claimed that a threat actor managed to socially engineer an “associate” at the BWI Airport Marriott in Baltimore, Maryland, enabling them to exfiltrate data from that individual’s computer.

The group added that this was an isolated incident, contained within a few hours, and that it had “no evidence that the threat actor had access beyond the files that were accessible to this one associate,” according to DataBreaches.net.

However, while most of the data stolen appears to have been “non-sensitive business files,” Marriott said it would be informing 300-400 people who had sensitive personal information exposed in the incident.

Screenshots provided by the threat actor appear to reveal full corporate credit card numbers, CVV details and expiry dates for some guests. HR files containing information on employees were also apparently in the 20GB trove.

The incident is the latest in which a malicious third party has tried to extort a victim organization after stealing information. That was the modus operandi of the infamous Lapsus$ threat group and highlights a diversification away from the use of ransomware payloads to force payment. Marriott said it refused to pay the ransom.

This is also the latest in a long line of security incidents at Marriott International. Most notably, the firm was fined £18.4m by the UK’s data protection watchdog two years ago for "failing to keep millions of customers' personal data secure."

Personal information on over 330 million guests was exposed after an attack on Starwood Hotels which began in 2014 and which Marriott purchased years later.

Also in 2020, Marriott revealed another breach, this time affecting 5.2 million guests, after employee log-ins were stolen.

Sam Curry, chief security officer at Cybereason, argued that Marriott has a “mature and talented security team,” but that persistent cyber-criminals will always pose a significant challenge.

“Today, employees continue to frequently be the weakest link inside the company, whether malicious or inadvertent. Think of security awareness training like a basketball team that needs more practice to execute the plays with precision in the games. The only way you can improve is with practice, patience and repetition,” he added.

“Ultimately, practice in peacetime to help reduce the risk associated with the real threats when they hit your company. And you must have a detection strategy and you must test it all. Then you tune and tune and tune."

What’s Hot on Infosecurity Magazine?