Lessons not learned? Another Marriott data breach

Graeme Messina
September 7, 2020 by
Graeme Messina


Marriott is one of the best-known leisure brands in the world, specifically in the hotel and hospitality industry. It has over 7,300 hotels and guest properties globally in over 134 countries. Marriott also has many other well-known brand names within the group, such as Sheraton Hotels and Resorts and Westin Hotels and Resorts. The Marriott group is no slouch in the earnings department either, as it had an annual turnover of nearly $21 billion in 2019.

For these reasons, it came as a shock when Marriott disclosed that they had suffered possibly one of the biggest data breaches in history. The breach was detected on its Starwood guest reservation database, which contained a lot of personal data about their clients. This data included names, personal phone numbers, passport information and even encrypted card data for payments. The payment data was never proved to have been used but the fact that it was accessed by an outside group was very concerning.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

The first Marriott breach

The initially reported Marriott breach was special for a few reasons. The first is that the breach persisted for over four years and even continued through the acquisition of Starwood by Marriott. The hackers essentially moved in and started living in the compromised database. 

The second is that Marriott managed to accumulate fines in excess of $125 million in GDPR fines. This was due to the fact that nearly 340 million customers had their records stolen. This is the second biggest known data breach in history, eclipsed only by Yahoo!’s staggering 500 million breached user accounts.

Of Marriott’s user breach, around 30 million customers were residents of the European Zone, while around 7 million of the total users were British. Like Europe, Britain also enforces GDPR. For more information about the original breach, you can find this article written by Howard Poston right here.

The second Marriott breach

With the first massive data breach still fresh on everyone’s mind, you can imagine everyone’s surprise when the world learned of yet another security-related incident from Marriott. This time, the company found itself having to disclose the fact that an additional 5.2 million customer records had been accessed in an unauthorized manner. You might be wondering how this could be possible after such an egregious breach was disclosed so recently, and you are not alone.

Marriott reported earlier this year that a second breach was discovered on an internal data system with personal information about customers. No credit cards or PINs were reportedly stolen through this breach, but serious questions are being asked of the company. The most damning part of the breach is that the vulnerability was exploited for about a month, beginning in early January of 2020. It was detected by the end of February. 

This is still a very long time for a breach to remain active on a system, but it is much better than the first incident. Not too many details were given about the specific chain of hotels that was affected from the network breach, but a dedicated website has been set up to assist users that might have had their account information compromised during this data breach. Users can log into this website to check if their accounts were affected by the breach.

The breach seems to have been traced back to the credentials of two employees at a franchise property. There has been no word if these employees were involved with the breach directly or if their credentials were stolen in a phishing or social engineering scam. If the latter is the case, then Marriott needs to institute cybersecurity awareness training across all of its companies and subsidiaries to make employees aware of how to avoid falling for these scams and giving up their credentials.

Marriott Bonvoy members that were affected will find that their accounts have been disabled. If the account is accessed, then the password needs to be changed in conjunction with a multi-factor authentication system.

These are promising steps and show that Marriott seems to be taking the user experience and security of their organization far more seriously. 

Preventative measures

We want to look at how this could have possibly been prevented and what lessons were not learned from the initial data breach. We will try to piece together the events leading up to the second breach through weaknesses that should have been identified after the first breach’s investigation. This should help us to understand how they could have avoided such a serious second breach so soon after the first and what lessons we can all learn from the debacle

A job post from April 2019 shows that the company definitely started taking security more seriously after the initial breach was announced. The position advertised was for an information security senior manager with a focus on endpoint compliance. We also know that over 70,000 devices on the Starwood network received endpoint software, the network was segmented and whitelisting techniques were implemented. This means that only devices that are authorized to access the network would be able to communicate with resources such as databases and network locations. 

Multi-factor authentication (MFA) and Single Sign-On (SSO) technologies have been introduced across the group, providing an additional layer of security to the system. Multi-factor authentication requires users to answer a challenge when logging on, usually in the form of a one-time PIN (OTP) or biometric reading. This means that if credentials are stolen from a user, that user’s mobile device or the user themselves will need to be present to complete the login.


As dire as the situation seems, there are some positive takeaways from this incident. The fact is that this second breach was detected much more quickly than the original hack. Marriott seems to have taken some better precautions, trying to tighten up security around their organization’s cybersecurity requirements. Using multi-factor authentication and thousands of new threat detection endpoints will go a long way to slowing down any further attacks in the future.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.



  1. Marriott Suffers Another Massive Data Breach, BankInfoSecurity
  2. The latest Marriott data breach impacts up to 5.2 million people—here’s what to do if you were affected, CNBC
Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.