By all accounts, the breach was preventable using available best practices, as was an earlier spectacular hack in 2018.

The personal data of up to 5.2 million members of the Marriott Bonvoy loyalty program have been leaked. The compromised information included personal details such as contact information (names, mailing addresses, email addresses and phone numbers), birth dates and details linked to customer loyalty programs and guest preferences.

It was believed that the information was accessed using the login credentials of 2 employees at a franchise property.

Notably, this is the hotel chain’s second data breach in two years, with one major attack in 2018 that involved 500 million people—one of the largest breaches in history.

Threat analysis

This current data breach occurred due to stolen login credentials, and highlights the importance of performing a detailed threat model on business operations and then implementing appropriate monitoring controls to ensure that threat vectors can be quickly identified.

According to Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group: “In this case, the attack vector was via compromised employee credentials. Those credentials provided access to guest services within individual properties under the Marriott brand.Since employees often have access to sensitive customer data, creating appropriate alerts to detect credential misuse is particularly difficult. Examples of behavior to look out for include: time of day (is the employee clocked in?), scope of access (is the accessed data outside of their normal role?), and volume of data (is the access consistent with how an employee would access data to address customer requirements?).”

Mackey said implementing such controls requires organizations to look not only at the application security and how it is deployed, but the intended usage patterns incorporating human factors data.

Another expert, Darktrace’s director of strategic threat, Marcus Fowler, noted that this breach should serve as a wake-up call to all in the hospitality sector and other industries being negatively impacted by the pandemic. “Attackers will not wait until businesses have stabilized before they attack, or until security and IT teams have completed the transition to remote work! Instead, adversaries will look to use this uncertainty and upheaval to their advantage—striking while businesses are struggling to adapt.”

In the meantime, Marriott spokespeople have said that the unauthorized access likely started in mid-January and had continued for about a month and a half. Upon the hack’s discovery at the end of February, the hotel chain disabled the compromised logins and started an investigation. It began notifying affected guests only recently.

Concluded Fowler: “Unfortunately, the risks of business email compromise are exacerbated when employees are working remotely, and are hungry to receive information from colleagues or updates from their company. Employees need to remain on high alert for targeted phishing campaigns and businesses need to find ways to support their security teams. Technology like AI that can streamline investigations and stop attacks before they can do damage can buy back valuable time for overwhelmed teams.”