top of page

Marriott Suffers Another Data Breach Exposing Guests’ Credit Card Information

News is breaking that Marriott International, the largest hotel chain in the world by number of available rooms, has suffered yet another data breach. According to the hackers, over 20 GBs of sensitive data, including credit card and other confidential information about guests and employees, was stolen.


Databreaches.net broke the news that hackers used a social engineering trick to gain access to an employee’s computer at a Marriott hotel in Maryland. Marriot said the threat actor then contacted the chain in an attempt at extortion, which Marriot did not pay. Contrary to the hacker’s claims, Marriott also said that the data breach mostly contained non-sensitive business files.


Marriott has had several significant data breaches before: a breach in 2014 led to a $24 million fine from the U.K’s Information Commissioner’s Office, and a breach in 2020 affected 5.2 million guests.


Cyber experts shared their insights on the breach.


Amit Shaked, CEO, Laminar


“Visibility into a company’s data is undeniably important but has gotten a lot more complicated in recent years. Data visibility was once limited to a self-contained, on-premises system. This is now extremely hard to come by in our multi-vendor, multi-cloud world.

With the cloud allowing businesses to work from anywhere at any time, greater access drives higher levels or risk. The increased pace of change, as well as the sprawl of new cloud tech, has allowed data to spread around various places, leaving some data to be more-or-less invisible in a “dark corner.” Most breaches happen in these hiding places in the shadows.

The key for business leaders to combat this and rise above data breach culture is having the tools to provide visibility into all of an organization’s cloud data. By doing so, data protection teams can understand where their ‘shadow’ data stores are, their security posture and who owns them. Doing so leads to data flowing smoothly and safely and allows teams to be able to identify when something goes amiss.”


Steve Moore, chief security strategist, Exabeam


“According to the unnamed group that claimed responsibility for this attack, their ‘patient zero’ was tricked into providing access to the computer on Marriott’s network – this is common and often defeats even the best security controls. Even with social engineering, there's typically a short list of methods employed by the adversary post-contact. Therefore, defenders must focus on the truths of what comes next – credential theft and misuse, along with deviant behavior.

Some interesting attributes of this new, unnamed adversary group include:

  • They seem very disciplined and measured in their actions – a sign of maturity.

  • They don't want a high profile, to the point they aren't sharing a moniker.

  • They aren't new; they claim they've worked successfully for five years, an incredibly long tenure.

  • They also don't go after governments, only businesses – this is likely a self-preservation method.

  • They focus not on encryption, but instead on theft and extortion to not impact operations.

  • Lastly, they begin with social engineering and likely persist with credentials.”


Arti Raman (She/Her), CEO and Founder, Titaniam


“In the recent data breach confirmed by Marriott, hackers claimed to have stolen 20 gigabytes of sensitive data including guests’ credit card information. As hacks and extortion become more and more frequent, to truly minimize the risk of potential extortion and minimize lost clear text data, a data security platform, specifically data-in-use encryption, also referred to as encryption-in-use, is the only option for complete protection and peace of mind.

“Utilizing data-in-use encryption technology provides unmatched immunity. Should adversaries gain access to data, by any means, data-in-use encryption keeps the sensitive data encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”


###

bottom of page