Hotel chain Marriott International was hit by a second data breach in three years — this time involving the personal information of 5.2 million guests. Marriott said it discovered the breach of an unspecified property system at franchise hotel at the end of February. The hackers had obtained the login details of two employees, and had broken into the system weeks earlier in mid-January.

What data was breached? Names, email address, phone numbers, loyalty account number and balance, employer, gender, birthday, and room preferences were breached. Not all of this information was breached for each of the 5.2 million people, only some of the data points may have been leaked for some guests, Marriott clarified. The hotel group said that it has “no reason to believe” that Marriott loyalty account passwords, payment information, passport info, national IDs, and driver’s licence numbers were breached. Marriott said it has notified relevant authorities and has informed guests whose data was breached.

Marriott was fined almost £100 milliion after the previous breach

In December 2018, Marriott had said that central reservation system of its Starwood subsidiary was hacked, exposing the personal data and records of 500 million guests. For 327 million guests of these guests, names, mailing address, phone numbers, email address, passport numbers, birthdays, gender, arrival and departure information, were breached. Some records included payment card numbers and card expiration dates, although cards were encrypted. For others, the exposed information was limited to mailing address, email address. The system had been exposed since 2014, since before Marriott acquired Starwood Hotels in 2016.  

The UK Information Commissioner’s Office (ICO) had fined Marriott almost £100 million in July 2019 for violating the General Data Protection Regulation, the data protection law governing the EU. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and “should also have done more to secure its systems”. The ICO said under the GDPR, organisations need to carry out due diligence when acquiring other companies. Since Marriott had acquired the Starwood Hotels group in in 2016, the vulnerability had already existed for two years, and continued for two years thereafter.

MGM Resorts also had a data leak in February 2020

In February 2020, the personal data of approximately 10.6 million guests of US casino operator MGM Resorts was made public on a hacking forum. The data included home addresses, contact information, driver’s licences, and even passport numbers in some cases. The leaked information included information on celebrities, executives at technology companies, reporters and government officials. Law firm Morgan & Morgan, whose lawyer John Yanchunis has fought other data breach cases, sued the resort group later in February.