Hotel chain Marriott disclosed a security breach that impacted more than 5.2 million hotel guests who used the company's loyalty app.

According to a breach notification on its website, Marriott learned of the security breach at the end of February, when it discovered that a hacker had used the login credentials of two employees from one of its franchise properties to access customer information from the app's backend systems.

Marriot says the hack dated back to mid-January but did not disclose additional details about how it happened.

Marriott says the intruder had direct access to Marriott Bonvoy loyalty data such as:

  • Contact details (e.g., name, mailing address, email address, and phone number)
  • Loyalty Account Information (e.g., account number and points balance, but not passwords)
  • Additional Personal Details (e.g., company, gender, and birthday day and month)
  • Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
  • Preferences (e.g., stay/room preferences and language preference)

Marriott said, "Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers."

Marriott launched a web portal where app users can check if they're one of the 5.2 million users impacted by the security breach, and what data the hacker might have accessed.

This is the second security breach the hotel chain has disclosed in the past 16 months.

Chris Morales, head of security analytics at Vectra, says that, "Recent Vectra research shows that privileged access from unknown hosts occurs inside every industry, leading to unintended exposure of critical systems. Yet these privileged accounts rarely receive direct oversight or technical control of how they are used, even when privileged access management tools are in place. It is this lack of oversight or understanding of how privileged accounts are being used that creates the operational and financial risk for organizations. If used improperly, privileged accounts have the power to cause much damage, including data theft, espionage, sabotage, or ransom."