Skip to main content
close search
site logo
Dive Brief

Latest Marriott breach shows a human error pattern

The latest incident at Marriott is relatively minor compared to major breaches in late 2018 and early 2020, but it signals a pattern of neglect.

Published July 7, 2022
Matt Kapko's headshot
Senior Reporter
A sign is posted in front of a Marriott hotel.
Justin Sullivan via Getty Images

First published on

Cybersecurity Dive

Dive Brief:

  • Marriott International last month suffered its third publicly acknowledged data breach in four years. The hotel chain disclosed the incident after DataBreaches.net reported an unnamed threat actor claimed to have stolen 20 gigabytes of sensitive data.
  • A previous data breach that began in 2014 and went undetected for four years ultimately impacted 500 million guests. That breach hit the reservation system for Starwood Hotels and Resorts Worldwide two years before Marriott completed its acquisition of the company, forming the largest hotel chain globally.
  • Marriott claims the incident was quickly contained and potential exposure was limited to about 400 individuals.

After suffering one of the worst data breaches on record, Marriott disclosed another data breach in March 2020 that exposed account details on up to 5.2 million guests. This latest incident, though relatively minor, marks a pattern of personal identifiable information breaches with human error at the root. 

In the latest incident, a threat actor “used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer,” a Marriott spokesperson said via email. “The threat actor did not gain access to Marriott’s core network.”

Following an investigation, the company said it determined the information that was accessed primarily contained non-sensitive internal business files regarding the property’s operations.

The hotel chain said it identified the breach and was investigating the incident before the threat actor contacted the company in an extortion attempt. Marriott did not pay the threat actor, according to the company spokesperson.

The unnamed threat actor claiming to be behind the attack supplied DataBreaches with documents containing personal information, including airline flight crews’ names, corporate credit card information, and room numbers at the BWI Airport Marriott property.

Marriott asserts no such information was accessed, but said it notified law enforcement and the company is supporting further investigation.

While lapses in security have become routine across sectors, a concern for Marriott is the pattern and the role security plays in corporate governance. The last time "cyber" or "security" was mentioned on an earnings call occurred in mid-2019.

Marriott’s global operating committee lists 24 members and none of those individuals have cyber or security in their title.

Arno Van Der Walt has served as CISO at Marriott since January 2018, but not listed on the company’s leadership page. Jim Scholefield, who is listed on the leadership team and designated as “responsible for leading all aspects of the company’s information technology and digital strategies,” joined Marriott in January 2020 to serve as its global chief information and digital officer. 

Marriott, in a late 2021 filing with the Securities and Exchange Commission, reported it had spent $16 million in the first three quarters of the year related to recovery from the 2018 data breach.

Editors' picks

Company Announcements

View all | Post a press release
ContractCrab Launches AI Contract Review for In-House Legal Teams
From ContractCrab
November 14, 2024
Trellis Launches Trellis AI to Revolutionize Trial Court Litigation
From Trellis
November 19, 2024
Breaches and Bots: Law Firms Face a Trust Crisis with Clients, New Integris Survey Reveals
From Integris
November 18, 2024
Editors' picks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell