Marriott International says a breach may have compromised the personal data of 5.2 million customers, the second significant data breach for the hotel chain in less than two years.
A significant penalty under the EU’s General Data Protection Regulation (GDPR) after the first breach in November 2018 still hangs over Marriott in the United Kingdom. The company said in a press release Tuesday that it has begun sending emails about the latest incident to potentially affected customers.
The new breach, which Marriott said it discovered in February, compromised customers’ contact and personal details, loyalty account information, partnerships and affiliations, and room preferences. The company said it does not believe any personal financial information—like credit card numbers—or personal identification, including passports, national IDs, and driver’s licenses, were compromised in the breach.
The breach began in January 2020, Marriott said. A month later, the company noticed “an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.” The login was disabled, and the company notified federal authorities and began its own investigation into the breach. Marriott did not say who used the login credentials to gain access to the company’s database.
Marriott said it “notified relevant authorities and is supporting their investigations.” The hotel chain has set up a dedicated Website and call center resources with additional information for guests
“The company does not currently believe that its total costs related to this incident will be significant,” the release said.
Marriott’s 2018 breach affected as many as 327 million customers and may have the compromised credit card numbers of some of those guests. The U.K.’s Information Commissioner’s Office (ICO) proposed a fine of £99.2 million (U.S. $124 million) on Marriott for infringements of the GDPR.
The fine is still being finalized after appeal.
The 2018 vulnerability is believed to have begun when the systems of the Starwood Hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”