Marriott has announced that at the end of February 2020 they identified that information of up to 5.2 million guests was accessed by login credentials of two employees at a franchise property. They suspect this activity started in mid January 2020. The following information may have been involved:
- contact details (e.g., name, mailing address, email address, and phone number)
- loyalty account information (e.g., account number and points balance, but not passwords)
- additional personal details (e.g., company, gender, and birthday day and month)
- partnerships and affiliations (e.g., linked airline loyalty programs and numbers)
- preferences (e.g., stay/room preferences and language preference)
Marriott has sent out an e-mail to potentially affected customers and will be providing them with IdentityWorks credit monitoring. In late 2018 Marriott announced that SPG reservation systems were breached and 500 million customers were affected. It’s troubling that individual employees have access to this level of information and were presumably able to export that information undetected for more than a month. This shows why we need tougher penalties for data breaches, otherwise they will simply be considered a cost of doing business.
