Two years after a major data breach that exposed 339 million guest records and cost Marriott $124 million in GDPR violation fines, the company has suffered another, albeit smaller security breach. 

The hospitality company announced that in February 2020, the company discovered that a large number of guest information might have been accessed using the login credentials of two employees at one of Marriott’s franchise locations. Marriott believes this activity started in mid-January and the accounts were disabled upon discovery. The company also immediately launched an investigation, implemented heightened monitoring, and worked to inform and assist guests.

At this point, Marriott believes that contact details (names, mailing addresses, emails, and phone numbers), loyalty account information (account numbers and point balances), additional personal details (company, gender, and birthday day and month), partnerships and affiliations (linked airline loyalty programs and numbers), and stay preferences (such as room and language preferences) of 5.2 million guests were exposed. While investigation is still underway, Marriott does not currently believe that account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers have been exposed.

RELATED CONTENT: Marriott fined $124 million for 2018 data breach

Marriott notified guests involved in the breach by email on March 31. Included in the email are details on how to enroll in a personal information monitoring service that Marriott is offering. They also set up a dedicated website and call center with additional information. 

The company also noted that it carries cyber insurance and is working with insurers to assess coverage. At this time, Marriott does not believe the total cost of this incident will be significant. 

Kevin Lancaster, GM of security solutions at Kaseya, believes that the nature of this breach presents a good opportunity for companies to prioritize cybersecurity awareness training, particularly phishing training. “One of the most effective types of active training is phishing simulation,” he said. “As the name implies, you mail out simulated phishing attempts to people in your organization and track their response. This helps you to get a better sense of security awareness of individuals in your organization. While one employee might be on top of their game, another might be submitting data to every phishing email that he gets. So it’s best to direct limited training resources where they’re most needed. I’ve also seen cases where just knowing that phishing simulation goes on in the organization and that their management sees the results improves people’s caution with clicking on sketchy emails.”