Hotel chain Marriott has suffered yet another embarrassing breach at the hands of organized hackers who say the lodging giant has very poor cyber defenses.
Over the past few years, Marriot has suffered several major breaches, some resulting in hundreds of millions of stolen customer records, lawsuits, and millions in regulatory fines.
The latest incident reportedly occurred about a month ago, when a group of anonymous hackers phished a BWI Airport Marriott employee and used his clearance to exfiltrate 20GB of data, including data on employees and possibly even hotel guests.
Marriott told cyber-news site Databreaches.net that most of the stolen data consisted of “non-sensitive internal business files. But the lodging behemoth might be downplaying the severity of the incident.
The hacking group claims it has gotten its hands on some proprietary information and the personal data of guests and employees, and labels the stolen data as “critical.”
Marriott also said it will notify 300-400 individuals, including regulators, as required in this instance.
“They did not provide a full description as to what kinds of personal information were involved for the individuals being notified,” according to Databreaches.
The outlet interviewed the hacking group and published several sample files allegedly stolen in the attack. While the group did demand ransom to refrain from going public with the breach, they said their modus operandi does not involve actual encryption, as is the case in most ransomware attacks. In an attempt to cast themselves as less malicious than other hackers, the criminal group said they don’t mean to wreak havoc and ruin businesses. They also said they focus only on companies and do not attack critical government infrastructure.
The group opined that Marriott’s cyber defenses are weak, telling interviewers that hacking them was a walk in the park.
“Their security is very poor, there were no problems taking their data. At least we didn’t get access to the whole database, but even the part that we took was full of the critical data,” the group is cited as saying.
A Marriott spokesperson told CyberScoop that the unauthorized access “only occurred for a short amount of time on one day.”
“Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay,” the spokesperson added.