Marriott confirmed it was the target of yet another data breach after attackers recently breached the company's systems. The company said hackers used social engineering techniques to gain access to an employee's computer. After obtaining around 20GB of data, the person or group behind the attack tried to extort Marriott, but the company refused to pay up.
The hackers had access to Marriott's network for less than a day. The company told CyberScoop it was already investigating the breach before it received the extortion attempt. The incident is said to have taken place around a month ago, but it only just came to light. Marriott has informed law enforcement and it will notify between 300 and 400 unspecified individuals and regulators as required.
According to DataBreaches, which first reported on the attack, the hackers gained access to a server at BWI Airport Marriott in Maryland. They provided the publication with screenshots that appear to show reservation documents for flight crews, along with ]corporate credit card numbers for an airline or travel agency.
Marriott said most of the information was “non-sensitive internal business files regarding the operation of the property.” It's unclear what kinds of other customer and employee data was included. Engadget has contacted Marriott for comment.
This is at least the seventh data security incident involving Marriott since 2010, according to DataBreaches. One of the more notable cases emerged in November 2018. The company said hackers gained access to the reservation database of its Starwood subsidiary and obtained personal details of as many as 383 million guests (though some of those were believed to be duplicate records). The data included 5.3 million unencrypted passport numbers. The UK's Information Commissioner's Office fined Marriott £18.4 million (around $21.9 million at today's rates) over the incident.
Update 7/6 1:59PM ET: Marriott sent Engadget the following statement:
Marriott International is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer. The threat actor did not gain access to Marriott’s core network. Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property. The incident was contained to a short period of time. Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay. The company is preparing to notify 300-400 individuals regarding the incident. Marriott has also notified law enforcement and is supporting their investigation.
