The hotel giant’s admission comes less than a year after receiving notice of a hefty fine for a previous breach

Marriott Hotel, San Diego

Hotel chain Marriott has admitted to its second major data breach in just two years.

The latest breach – disclosed on Tuesday (March 31) – affects up to 5.2 million people and has exposed the names, addresses, birth dates, email addresses, and telephone numbers of many, if not all of those affected.

The names of guests’ employers, and their room stay preferences and loyalty account numbers may also have been exposed.

Although Marriott’s investigation is ongoing, the company reckons even more sensitive data including payment card information, passport information, national IDs, and driver’s license numbers was not exposed – or at least it has no evidence of any such exposure.

The breach was first identified at the end of February after Marriott realized a large amount of guest information may have been accessed using the login credentials of two employees at an [unnamed] franchise property.

“The company believes that this activity started in mid-January 2020,” Marriott explained in a statement about the breach.

“Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”

Marriott added that it had notified the “relevant authorities” [presumably police and regulators] and is supporting their investigations. In the meantime, the hotel chain has begun notifying affected guests by email as well as establishing a dedicated support website.

In November 2018, Marriott admitted that a separate breach may have exposed the personal details of 500 million (later revised down to 339 million). The breach dated back to 2014 and stemmed from insecure systems at Starwood hotels group, a business Marriott acquired in 2016.

Marriott was faulted for a lack of due diligence. UK data privacy regulators announced plans to fine Marriott £99 million in July 2019.

RELATED Healthcare data breach: Medical device manufacturer discloses phishing attack