Marriott suffers data breach due to social engineering attack

Image by Jonathan Kemper via Unsplash

July 7, 2022

Marriott International, one of the largest hotel chains in the world, has suffered another data breach.

According to the hackers, more than 20 GBs of sensitive data, including credit cards and other confidential information about guests and employees, was stolen.

Databreaches.net reports that hackers used a social engineering trick to access an employee’s computer at a Marriott hotel in Maryland. The hotel chain said the threat actor then contacted the chain in an attempt at extortion, which Marriot did not pay. Marriott also said that the data breach mostly contained non-sensitive business files.

In a statement to TechCrunch, Marriott spokesperson Melissa Froehlich Flood says, “Marriott International is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer. The threat actor did not gain access to Marriott’s core network.”

The hotel chain is preparing to notify 300-400 individuals and has notified law enforcement agencies.

Marriott has had several significant data breaches before: a breach in 2014 led to a $24 million fine from the U.K’s Information Commissioner’s Office, and a breach in 2020 affected 5.2 million guests.

Social engineering attacks are common and often defeat even the best security controls, says Steve Moore, chief security strategist at Exabeam. “Even with social engineering, there’s typically a short list of methods employed by the adversary post-contact. Therefore, defenders must focus on the truths of what comes next — credential theft and misuse, along with deviant behavior.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.