Marriott International confirmed Tuesday that unknown criminal hackers broke into its computer networks and then attempted to extort the company, marking the latest in a string of successful cyberattacks against one of the world’s biggest hotel chains.
The incident, first reported early Tuesday by databreaches.net, allegedly occurred roughly a month ago and was the work of a group claiming to be “an international group working for about five years,” according to the site.
A Marriott spokesperson told CyberScoop that the company “is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer.” The access “only occurred for a short amount of time on one day. Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay.”
The company has notified law enforcement, the spokesperson said.
The group claiming responsibility for the attack told Databreaches.net — a news site that focuses on data breaches and cyberattacks — that it stole roughly 20 gigabytes of data, which included credit card information and confidential information about guests and workers from an employee at the BWI Airport Marriott in Baltimore. The attackers “emailed numerous employees” at Marriott about the breach, the site reported, and had been in at least limited communications with Marriott.
The Marriott spokesperson said the “incident did involve access to approximately 20 GB of files,” and added that the “size of the files involved is not an indication of the content.”
The attackers provided Databreaches.net samples of the documents they claimed to have stolen, and screenshots posted to the site purport to show reservation logs for airline crew members from January 2022 and credit card authorization forms. The site reported that the hackers shared another “relatively recent” file, but Databreaches.net chose not to post it.
Marriott told CyberScoop that most of the stolen information was “non-sensitive internal business files regarding the operation of the property.” The company told Databreaches.net that the it would be notifying 300-400 people and regulators, as required, a figure the Marriott spokesperson confirmed late Tuesday to CyberScoop.
CyberScoop could not independently verify information about the stolen material or about the attackers claiming responsibility.
Marriott has suffered serious data breaches in the past, such as in November 2018 when the company revealed hackers breached one of its subsidiary brand’s reservations systems and stole the personal data of roughly 500 million guests. Many American officials and private analysts blamed the Chinese government for that hack, which spanned 2014 to 2018.
A second breach, revealed in March 2020, netted hackers with data on as many as 5.2 million guests, the company said at the time.
Updated 7/5/22: to include additional details from the Marriott spokesperson.