Hotel chain Marriott has suffered yet another data breach, with unknown threat actors managing to steal 20GB worth of data from its servers.
As reported by Engadget, the attackers targeted the company’s employees with social engineering techniques, and one of them fell for it. The group managed to access the company’s endpoints (opens in new tab) for less than a day, but this was enough to steal data on up to 400 people, most of whom were allegedly former employees.
“Their information was in archived files that were not detected by the scanning tool we use as part of our proactive security efforts to identify and remove sensitive data from devices,” a Marriott spokesperson told Engadget.
Core network untouched
Apparently, the threat actor targeted the BWI Airport Marriott, in Maryland, USA. It obtained reservation documents for flight crews, as well as corporate credit card numbers for an airline or travel agency. Marriott further said that most of the data was “non-sensitive internal business files regarding the operation of the property.”
“The incident only involved access to one associate’s device and documents on a connected file share server,” the spokesperson said. “The incident did not involve access to Marriott’s core network, the guest reservation system at the property or the payment processing system at the property.”
The group also tried to extort Marriott, but the company is said to have refused to pay a ransom fee for the safe return of the data.
Marriott can’t seem to catch a break with cyberattacks. In the past decade, the chain has suffered seven incidents, the biggest happening in November 2018, after purchasing Starwood hotels.
The subsidiary was already compromised when Marriott bought it, but after failing to properly audit its systems, it ended up giving away data on more than 380 million guests. The identities (opens in new tab) of many customers were at risk, as more than five million unencrypted passport numbers were allegedly stolen, as well.
The company was fined almost $22 million by the UK’s Information Commissioner’s Office (ICO) for the incident.