Given Marriott’s general cybersecurity history, expectations for the chain are not very high at present. Thus, a recent data breach that “only” compromised one property and “only” resulted in the theft of some 300 to 400 customer credit card numbers seems relatively benign next to its prior incidents: the 2014 mega-breach that impacted some 340 million customers worldwide (and was not revealed until 2018), and the 2020 breach that exposed personal profile details of 5.2 million guests.
The data breach took place at the BWI Airport Marriott near Baltimore, and Marriott says that it is directly contacting the 300 to 400 guests that had credit card information exposed. A social engineering attack was executed on a member of the hotel staff, who unwittingly granted access to the property’s network to the hacker.
Another data breach for Marriott, but involving only one property
A statement from Marriott indicates that the attacker only had access to the BWI Airport Marriott systems for six hours. However, that was long enough to exfiltrate about 20GB of data. This apparently was mostly composed of “non-sensitive” hotel business information, but also contained the hotel’s payment and reservation records containing customer credit card information.
Given that the hotel has 310 rooms, it is possible that the attacker only accessed information for guests that were checked in at the time or had upcoming reservations; information leaked to Databreaches.net indicates…
