back to article Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off 5.2m guests' personal info

Marriott Hotels has suffered its second data spillage in as many years after an "unexpected amount" of guests' data was accessed through two compromised employee logins, the under-fire chain has confirmed. The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January …

  1. macjules Silver badge

    Cloning your identity?

    The idea of this is to notify you if criminals are using your stolen details to clone your identity.

    You mean that Marriott are busy selling your details out through the back door ASAP so that they can make some cash during the current crisis?

  2. Anonymous Coward
    Anonymous Coward

    Out of the frying pan and into the fire

    "Free Experian identity monitoring is also being provided to those affected. "

  3. a_yank_lurker Silver badge

    Scratch Marriott off the list

    Time to scratch Marriott off the list permanently. The only problem is figuring out who else is a Marriott property to be avoided.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Scratch Marriott off the list

      Because the internet has all the answers...

      https://www.marriott.com/marriott-brands.mi

    2. Pascal Monett Silver badge

      Re: Scratch Marriott off the list

      Agreed. I'm putting Marriott on my personal blacklist from now on.

      Enough is enough. Marriott has demonstrated that it doesn't give a flying one about customer security, so why should it continue having customers ?

    3. Mike the FlyingRat
      Alien

      Re: Scratch Marriott off the list

      If you scratch Marriott off your list, you're also scratching off Starwood and all of their chains too. This leaves Hyatt, and Hilton. Holiday Inn, and other lower budget chains like Super8 are also available.

      Depending on how much you travel, where you travel... you may be limiting yourself.

      And trust me... I've done enough traveling over the past several years that there are some chains I want to avoid because I fear getting sick just staying there.

      1. Evil Auditor Silver badge

        Re: Scratch Marriott off the list

        there are some chains I want to avoid

        Yes, all of them. That is, at least the large, international chains. I did a lot of travelling in the past, both for business and leisure, and have had much better experiences staying off those chains. Of course, there are the odd ones like one which is marketing itself as business hotel and you won't even find a table to work on in any room.

      2. Anonymous Coward
        Anonymous Coward

        Re: Scratch Marriott off the list

        if you are so inclined, you can still stay at Marriott hotels without having a loyalty account.

        I used to stay only at Starwood hotels, but since Marriott gobbled them up, I haven't stayed at any, the ones I looked at were old and tired, not like the Starwood hotels I remember.

        1. Anonymous Coward
          Anonymous Coward

          Re: Scratch Marriott off the list

          Doesn't make any difference whether you were part of the loyalty scheme or not, I spent one night in a Moxy last year without signing up to the loyalty scheme and they've confirmed they've leaked my name, address, email, phone number, date of birth and gender.

      3. Cuddles Silver badge

        Re: Scratch Marriott off the list

        "Depending on how much you travel, where you travel... you may be limiting yourself."

        Well yes, that's how boycotts work. You can't avoid using something you weren't going to use anyway. But if you're not willing to deal with the inconvenience, however big or small it may be, of avoiding something you dislike, you have no right to complain when you subsequently get shafted.

  4. Doctor Syntax Silver badge

    Nice timing.

    According to the Register report on the previous breach they and the ICO have agreed to "an extension of the regulatory process", whatever that might mean until today. Somehow I doubt the ICO will be inclined to give them the benefit of the doubt over this. They have informed the ICO haven't they? There's no mention of it.

    In the meantime Experian get to slurp a it more of their customers' data.

    1. BebopWeBop Silver badge
      Thumb Down

      Re: Nice timing.

      In the meantime Experian get to slurp a it more of their customers' data.

      That fills me with a great deal of confidence.....

  5. Anonymous IV
    Alert

    Expectation

    The statement that 'an "unexpected amount" of guests' data was accessed' leads to the question, "just how much data were they expecting to be accessed"?

    1. Malcolm Weir Silver badge

      Re: Expectation

      The breach was through unauthorized use of otherwise authorized credentials. So the statement makes perfect sense and indicates an unexpected level of anomaly detection!

      1. Doctor Syntax Silver badge

        Re: Expectation

        True, but if they had a reasonable expected amount shouldn't an alarm have been triggered at much, much less than 5.2 million records?

  6. crayon

    "Guests are now being emailed from marriott@email-marriott.com, ..."

    Why do companies think it's a good idea to use all variations of domain names? They're not even in the email business WTH would they register and use email-marriott.com?

    1. Prst. V.Jeltz Silver badge

      Its a moronic practice designed to ensure you cant tell if a link is genuine.

    2. David Nash

      Agreed, I received one of these and wasn't sure if it was genuine, due to the varied domain names used.

      It would not be unexpected to receive a phishing email claiming "click here to see if your details were compromised"

    3. Doctor Syntax Silver badge

      (a) To stop somebody else doing it to spoof the.

      (b) Because it's outsourced.

      I CBA to check if this applies to them but all too often this stuff is outsourced. When that happens a quick whois makes their marketing spam look like phishing. Yes, banks and building societies, I'm looking at you.

  7. Anonymous Coward
    Anonymous Coward

    they should send out a link to cancel your Marriott loyalty program altogether, and totally remove every piece of information they have stored about you.

    1. the Jim bloke Silver badge
      Stop

      Uh-huh,

      I see those emails all the time..click here to unsubscibe

      ..no, actually I only see them when I look inside my spam folder..

      The state of the web is that if anyone, claiming to be from anywhere, suggests you follow a link, treat it as an attempted mugging. If you personally know the sender, and expect the email - treat it like a possible hijacking instead, and verify.

      1. Doctor Syntax Silver badge

        And the years=old advice is don't click on any link in an unsolicited email. The fact that marketroids stuff their spam with links makes me think that they've never had that explained to them in words of one syllable and a 2 x 4. That in turn makes me realise that marketing departments are the easiest way in for anyone launching a malware attack. Between that and data hoarding they're a danger to any business.

  8. Oh Matron! Silver badge

    2FA FTW!

    Whilst not completely mitigated, wouldn't SSO and 2FA have almost prevented this?

    What's that? Your app doesn't supported 2FA? Doesn't support SSO? Doesn't support geographic aware login?

    1. Is It Me

      Re: 2FA FTW!

      Having the customers turn on 2FA wouldn't have made any difference, having staff use it probably would

    2. johnfbw

      Re: 2FA FTW!

      Geographic aware login probably wouldn't be sensible for a hotel app. It is literally for travelling - same with plane apps

      2FA isn't a bad idea, until you remember that it is for travelling and you may not have service to allow you to unlock your door. (of course there are other ways)

  9. IGotOut Silver badge

    Who are these employees?

    I don't mean as in name and shame, but what role did they have?

    Directors? Reception staff? Cleaners? Marketing? IT?

    If it's anyone other than a select few of IT, why do these people have access to these details?

    Is the issue a bigger INTERNAL issue rather than some form of hacking?

  10. Mad Dave

    >Included in that hack were 8.6 million “encrypted” credit card numbers, though the hotel chain insisted that all but a mere 354,000 had expired

    So why were they holding onto the other 8.25 million numbers?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020