Marriott Data Breach exposes PII and credit cards

Marriott International has acknowledged yet another data breach, this time affecting between 300 and 400 people.

Marriott told Dark Reading that it was a social engineering scam that was able to trick a single hotel employee into giving them credentials for computer access. Now the attackers want extortion money. The hotel chain added that it was preparing to notify those compromised.

DataBreaches.net was first to report Marriott’s latest compromise after the outlet said threat actors contacted it to brag about the breach. The report said that the The Marriott Attackers specifically targeted the Marriott at BWI Airport in Baltimore, Maryland and was able to exfiltrate 20GB of data, including credit card details.

“The threat actor did not gain access to Marriott’s core network,” a Marriott spokesperson said in a statement to Dark Reading. “Our investigation determined that the information accessed primarily contained non-sensitive internal business files relating to the operation of the property.”

The spokesperson added that the company was already aware of the incident and was investigating before the attacker contacted Marriott with demands for payment. Marriott refused to pay and is working with law enforcement, the person said.

According to the DataBreaches.net report, some of the information exposed included Personally Identifiable Information (PII) for flight crews staying at BWI, including names, numbers and flight times, position, room number and room number. credit card used for the reservation.

Attack follows massive Marriott breach in 2020

This latest incident pales in comparison to Marriott’s 2020 breach that exposed the PII of more than 5.2 million members of the hotel chain’s loyalty program. But it illustrates how vulnerable organizations can be to follow-up attacks after an initial compromise, according to Jack Chapman, vice president of threat intelligence at Egress.

“As this latest data breach demonstrates, organizations that suffered from previous attacks are more likely to be targeted in the future,” Chapman said in an email to Dark Reading. “Social engineering is a very effective tool, and cybercriminals know that an organization’s people are its greatest vulnerability – that’s why they come back to this technique again and again.”

The results are undeniable: social engineering works.

“Social engineering is one of the primary mechanisms used by adversaries,” explained Saryu Nayyar, CEO and founder of Gurucul, via email. “It’s simple and effective. And it means that the initial compromise depends on human behaviors and therefore cannot be prevented 100% of the time. It only takes one successful compromise to bypass most preventive controls. “

Finding and securing the organization’s most valuable data is a good first step in protecting against these increasingly common social engineering schemes, says James McQuiggan, a security awareness advocate at KnowBe4.

“Too often, in data breaches, users are discovered to have access to more data needed to perform their tasks effectively, only to be found after the breach when it is copied onto the Dark Web and the user didn’t need it,” adds McQuiggan. “Any sensitive data, such as names, emails or other personal data such as human resources evaluations, must be protected by multi-factor authentication in order to increase protection and reduce the risk that a attacker has easy access.”