Marriott hit by second data breach, as security experts warn of more attacks

Just when you thought it couldn’t get any worse for the hotel industry, the world’s largest hotelier, Marriott International, has reported another major customer data breach, its second within two years.

This time, the stolen data covers 5.2 million guests and includes postal addresses, emails, phone numbers, loyalty account information and birth dates. Marriott says that while its investigation is ongoing, it does not believe that payment card or passport details were accessed.

Already reeling from the impact of the global pandemic, Marriott stock traded as low as U$67.65 on the NASDAQ on April 1, down 55% from US$152.60 on January 2. Other major chains such as Hilton Worldwide have also been hit hard, dropping 44% over the same period.   

Marriott was fined £99 million by the UK’s Information Commissioner’s Office after it admitted in November 2018 that hackers had stolen the records of 339 million guests, including credit card and passport details. However, it is not clear whether the chain has actually paid the fine as the ICO extended the deadline until March 31 this year – just days ago.  It did the same for British Airways which was fined £183 million for a personal data hack involving half a million customers.  

In early March, the ICO fined Cathay Pacific £500,000 for a breach of 9.4 million passengers’ data, including passport and identity details, between October 2014 and May 2018. The fine was lower because the hack took place when less punitive data security regulations were in place.

According to Marriott, the most recent attack was made using the login credentials of two employees to access an app used by hotels operated and franchised under Marriott’s brands. Some security companies are warning that this type of “account takeover” attack is on the rise among travel companies.    

Cyber security provider PerimeterX says it has seen a significant increase in the percentage of account takeover traffic (ATO) to travel and hospitality sites in recent months. “While travellers are staying home, the hackers are still out and about,” says the company’s Ameet Naik. Other providers suggest that more repeat attacks are likely. “It is true that if you’ve been hacked once, it’s likely to happen again – especially if you have lots and lots of valuable data, as big hotel groups do,” says John Norden of Infocyte.  

The ongoing spectre of data breaches – and massive fines – could not come at a worse time for the travel industry, which has been decimated by the outbreak. Airline and hotel revenues have plunged around the world as more countries close their borders to international travel to contain the spread of the virus. Globally, the sector is likely to contract by at least 20 to 30% in 2020, according to the World Tourism Organisation, translating into a loss of between US$300 to 450 million in tourism receipts, as well as a huge reduction in jobs.