Marriott hit by data breach through social engineering
Unknown attackers were reportedly able to exfiltrate 20GB of information from the company


Marriott International has revealed that unknown hackers infiltrated its computer networks and then attempted to extort the company.
The incident reportedly took place a month ago and the attackers were able to exfiltrate 20GB of data including credit card and confidential information, according to DataBreaches. The hotel impacted appears to be BWI Airport Marriott in Maryland in the US.
The breach occurred because an attacker carried out social engineering and successfully tricked an associate at a Marriott hotel into giving them access to the associated computer, Marriott said in a statement to IT Pro.
“Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property,” added the hotel chain.
Marriott claimed that the incident was contained in six hours and that it had identified and was investigating it before they were contacted by the unknown attackers. The hotel chain hasn’t made any kind of payment to the attackers so far, although it didn’t reveal whether it had negotiated at all.
“They were communicating with us and went silent for no reason, it might be because of the high pricing, but we are always willing to find a deal with our clients and told Marriott that we can provide all the discounts in the world,” the attackers said, who contacted DataBreaches.
Marriott said that while most of the data acquired by the attackers was “non-sensitive internal business files”, the company will be notifying around 300 to 400 individuals and any regulators as required. It didn’t provide a full description as to what kind of information was involved for the individuals being notified. Law enforcement has reportedly been notified and Marriott said it was supporting that investigation.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The attackers provided samples of the data, some of which reportedly appeared to be internal business documents with confidential and proprietary information such as how to access a labour management and scheduling platform. Additionally, there appears to be a relatively recent file detailing the average wages by department.
Other documents contained information on hotel guests and personnel, including their names and jobs, as well as corporate credit card numbers for some companies paying for employees to stay at Marriott.
The attackers revealed they are an international group that has been working for approximately five years. They claimed to have avoided media coverage by establishing a reputation for keeping communications and relationships confidential.
RELATED RESOURCE
Understanding the economics of in-cloud data protection
Data protection solutions designed with cost optimisation in mind
The group also claimed to never encrypt anything as it doesn’t want to interfere with business. It also added it doesn’t attack critical government infrastructure but focuses only on businesses.
IT Pro has contacted Marriott for comment.
This isn’t the first time that Marriott has experienced a data breach. In 2020, it was fined £18.4 million by a UK data regulator for a 2014 data breach that affected 339 million guest records worldwide. The ICO found that the company failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by GDPR.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.
-
Neural interfaces promise to make all tech accessible – it’s not that simple
Column Better consideration of ethics and practical implementation are needed if disabled people are to benefit from neural interfaces
By John Loeppky
-
Solution Brief: Find Known and Unknown Threats Faster
Download Now
By ITPro
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to know
News Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
By Solomon Klappholz
-
Phishing campaign targets developers with fake CrowdStrike job offers
News Victims are drawn in with the promise of an interview for a junior developer role at CrowdStrike
By Solomon Klappholz
-
Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week
News Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets
By Richard Speed
-
Malware being pushed to businesses by search engines remains a pervasive threat
News High-profile malvertising campaigns in recent months have surged
By Ross Kelly
-
CISA: Phishing campaign targeting US federal agencies went undetected for months
News Threat actors used legitimate remote access software to maliciously target federal employees
By Rory Bathgate
-
Google Ads malvertising campaign prompts questions around Search security
News A leading security researcher has called into question why Google still allows malware links to top search results
By Rory Bathgate
-
Uber hacked via basic smishing attack
News The self-taught hacker impersonated an IT worker to gain an Uber employee's password, obtaining broad access to internal systems and posting taunting messages
By Rory Bathgate