Marriott hit by data breach through social engineering

Marriott International has revealed that unknown hackers infiltrated its computer networks and then attempted to extort the company.

The incident reportedly took place a month ago and the attackers were able to exfiltrate 20GB of data including credit card and confidential information, according to DataBreaches. The hotel impacted appears to be BWI Airport Marriott in Maryland in the US.

The breach occurred because an attacker carried out social engineering and successfully tricked an associate at a Marriott hotel into giving them access to the associated computer, Marriott said in a statement to IT Pro.

“Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property,” added the hotel chain.

Marriott claimed that the incident was contained in six hours and that it had identified and was investigating it before they were contacted by the unknown attackers. The hotel chain hasn’t made any kind of payment to the attackers so far, although it didn’t reveal whether it had negotiated at all.

“They were communicating with us and went silent for no reason, it might be because of the high pricing, but we are always willing to find a deal with our clients and told Marriott that we can provide all the discounts in the world,” the attackers said, who contacted DataBreaches.

Marriott said that while most of the data acquired by the attackers was “non-sensitive internal business files”, the company will be notifying around 300 to 400 individuals and any regulators as required. It didn’t provide a full description as to what kind of information was involved for the individuals being notified. Law enforcement has reportedly been notified and Marriott said it was supporting that investigation.

The attackers provided samples of the data, some of which reportedly appeared to be internal business documents with confidential and proprietary information such as how to access a labour management and scheduling platform. Additionally, there appears to be a relatively recent file detailing the average wages by department.

Other documents contained information on hotel guests and personnel, including their names and jobs, as well as corporate credit card numbers for some companies paying for employees to stay at Marriott.

The attackers revealed they are an international group that has been working for approximately five years. They claimed to have avoided media coverage by establishing a reputation for keeping communications and relationships confidential.

The group also claimed to never encrypt anything as it doesn’t want to interfere with business. It also added it doesn’t attack critical government infrastructure but focuses only on businesses.

IT Pro has contacted Marriott for comment.

This isn’t the first time that Marriott has experienced a data breach. In 2020, it was fined £18.4 million by a UK data regulator for a 2014 data breach that affected 339 million guest records worldwide. The ICO found that the company failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by GDPR.