Marriott confirmed it was the target of yet another data breach after attackers recently breached the company's systems. The company said hackers used social engineering techniques to gain access to an employee's computer. After obtaining around 20GB of data, the person or group behind the attack tried to extort Marriott, but the company refused to pay up.
The hackers had access to Marriott's network for less than a day. The company told CyberScoop it was already looking into the breach before it received the extortion attempt. The incident is said to have taken place around a month ago, but it only just came to light.
Marriott has informed law enforcement and is assisting with the investigation. It also will notify regulators and between 300 and 400 individuals, most of whom are former employees. "Their information was in archived files that were not detected by the scanning tool we use as part of our proactive security efforts to identify and remove sensitive data from devices," a Marriott spokesperson told Engadget.
According to DataBreaches, which first reported on the attack, the hackers gained access to a server at BWI Airport Marriott in Maryland. They provided the publication with screenshots that appear to show reservation documents for flight crews, along with corporate credit card numbers for an airline or travel agency. Marriott said most of the information the hackers accessed was “non-sensitive internal business files regarding the operation of the property.”
"The incident only involved access to one associate’s device and documents on a connected file share server," the spokesperson said. "The incident did not involve access to Marriott’s core network, the guest reservation system at the property or the payment processing system at the property."
This is at least the seventh data security incident involving Marriott since 2010, according to DataBreaches. One of the more notable cases emerged in November 2018. The company said hackers gained access to the reservation database of its Starwood subsidiary and obtained personal details of as many as 383 million guests (though some of those were believed to be duplicate records). The data included 5.3 million unencrypted passport numbers. The UK's Information Commissioner's Office fined Marriott £18.4 million (around $21.9 million at today's rates) over the incident.
Update 7/6 3:24PM ET: Added more details from Marriott.