The US hotel chain Marriot has confirmed a new data leak. Criminals claim they gained access to 20GB of data that includes confidential business records and customer payment information. These come from the “BWI Airport Marriott”, an airport hotel in Baltimore, Maryland.
According to information from DataBreaches.net, criminals gained access to a hotel computer and connected servers in June using social engineering. Among other things, they were able to tap credit card information from Marriot customers.
ransom not paid
At the request of TechCrunch, a spokeswoman for the hotel group confirmed the attack. An employee of the airport hotel fell victim to social engineering and gave an external person access to a hotel computer. First, the criminals tried to blackmail the hotel chain with the data leak. But no ransom was paid, she said.
According to a Marriot spokeswoman, the criminals had no access to the hotel chain’s core network. They were only able to access “primarily non-sensitive internal business files” pertaining to that individual hotel. Despite this, Marriot intends to notify between 300 and 400 customers about the data leak. Law enforcement agencies have also been involved.
Third data breach at Marriot
This is the third known data breach at the hotel chain. In 2018, data from 500 million hotel guests was tapped through “unauthorized network access” at Marriott. Access was therefore via the IT systems of the subsidiary Starwood.
About a year and a half later, another data leak at Marriott allegedly affected 5.2 million hotel guests. In this case, unknown persons were apparently able to access the data records via the logins of two employees of a franchisee in the chain. Compared to those two leaks, the Baltimore airport hotel is a small case.
A security expert told The Verge that “Organizations that have been victims of previous attacks are more likely to be targeted in the future, as this latest data breach shows.” This applies in particular to social engineering, which exploits the human factor in IT security. “Cyber criminals know that a company’s employees are its greatest weak point – which is why they keep resorting to this technique.”