Marriott International has acknowledged yet another data breach, this time impacting between 300 and 400 individuals.
Marriott told Dark Reading that it was a social-engineering scam that was able to trick a single hotel employee into turning over credentials for computer access. Now, the attackers want extortion money. The hotel chain added that it’s preparing to notify people who were compromised.
DataBreaches.net was first to report on the latest Marriott compromise after the outlet said the threat actors contacted it to boast about the breach. The report said the Marriott attackers specifically targeted the Marriott at the BWI airport in Baltimore, Md., and were able to exfiltrate 20 GBs of data, including credit card details.
“The threat actor did not gain access to Marriott’s core network,” a Marriott spokesperson said in a statement to Dark Reading. “Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property.”
The spokesperson added that the company was already aware of the incident and investigating before the attacker contacted Marriott with payment demands. Marriott refused to pay and is working with law enforcement, the person said.
According to the DataBreaches.net report, some of the information exposed included personal identifiable information (PII) for flight crews staying at BWI, including names, flight numbers and times, employment position, room number, and…
