Marriott confirmed it was the target of another data breach after attackers recently penetrated the company’s systems. The company said hackers used social engineering techniques to gain access to an employee’s computer. After obtaining about 20GB of data, the person or group behind the attack tried to blackmail Marriott, but the company refused to pay.
The hackers had access to Marriott’s network in less than a day. The company announced this CyberScoop it was already investigating the loophole before receiving the blackmail attempt. The incident is said to have happened about a month ago, but has only now come to light.
Marriott has notified law enforcement and is assisting in the investigation. It will also notify regulators and between 300 and 400 people, most of whom are former employees. “Your information resided in archived files that were not detected by the scanning tool we use to identify and remove sensitive data from devices as part of our proactive security efforts,” a Marriott spokesman told Engadget.
Corresponding data breaches, who first reported the attack, the hackers gained access to a server at the BWI Airport Marriott in Maryland. They provided the publication with screenshots that appear to show flight crew reservation documents, along with company credit card numbers for an airline or travel agency. According to Marriott, most of the information accessed by the hackers is “insensitive internal business files related to the operation of the property.”
“The incident only involved access to an employee’s device and documents on a connected file share server,” the spokesman said. “The incident did not involve access to Marriott’s core network, the guest reservation system at the property, or the payment processing system at the property.”
This is at least the seventh data security incident Marriott has been involved in since 2010 data breaches. One of the most notable cases emerged in November 2018. The company said hackers gained access to its Starwood subsidiary’s reservations database and obtained personal information on up to 383 million guests (although some of these were believed to be duplicate records). The data contained 5.3 million unencrypted passport numbers. The UK Information Commissioner’s Office fined Marriott £18.4 million (about $21.9 million at today’s rates) for the incident.
Update 7/6 3:24pm ET: Added more details from Marriott.
All products recommended by Engadget are selected by our editorial team, independently of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may receive an affiliate commission.
https://www.engadget.com/marriott-data-breach-social-engineering-154630309.html?src=rss Marriott suffers at least its seventh data breach since 2010