Marriott International has confirmed another data breach, with hackers claiming to have stolen 20 gigabytes of sensitive data including guests’ credit card information.
The accident, first reported Databreaches.net Tuesday, it was said that it happened in June when an unnamed hacking group claimed to have used social engineering to trick an employee of a Marriott, Maryland, hotel into giving them access to their computers.
“Marriott International is aware of a threat actor who used social engineering to trick a co-worker at one Marriott hotel into providing access to a partner’s computer,” Marriott spokeswoman Melissa Frolich Flood told TechCrunch in a statement. “The threat actor was unable to access the Marriott core network.”
Marriott said the hotel chain identified the incident and was investigating the incident before a threat representative called the company in an attempt to extort, which Marriott said it did not pay for.
The group claiming responsibility for the attack says the stolen data includes guests’ credit card information and confidential information about both guests and employees. Sample data submitted to Databreaches.net to show airline crew members’ reservation records as of January 2022 and the names and other details of guests, as well as credit card information used to make reservations.
However, Marriott told TechCrunch that its investigation concluded that the data accessed “primarily contains internal business files that are not sensitive in connection with the operation of the property.”
The company said it is preparing to notify 300-400 individuals of the incident, and has already notified relevant law enforcement agencies.
This isn’t the first time that Marriott has experienced a major data breach. Hackers breached the hotel chain in 2014 to gain access to nearly 340 million guest records worldwide – an incident that was not discovered until September 2018 and led to a £14.4 million ($24 million) fine from the UK’s Information Commissioner’s Office. In January 2020, Marriott was hacked again in a separate incident that affected approximately 5.2 million guests.
TechCrunch asked Marriott about the cybersecurity safeguards it provides to prevent such incidents, but the company declined to answer.