Marriott International began notifying guests Tuesday of an incident that may have leaked the personal information of up to approximately 5.2 million guests.
The company said it currently believes the following information may have been involved, although not all was present for every guest:
- Contact details (name, mailing address, email address and phone number)
- Loyalty account information (account number and points balance, but not passwords)
- Additional personal details (company, gender and birthday day and month)
- Partnerships and affiliations (linked airline loyalty programs and numbers)
- Preferences (stay/room preferences and language preferences)
According to Marriott, the incident involved an application used by Marriott hotels to provide services to guests at hotels. At the end of February, the company said it noticed an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. Marriott believes the activity started in mid-January.
Upon discovery, Marriott disabled the login credentials in question, began an investigation, implemented heightened monitoring and arranged resources to inform and assist guests. The company also notified relevant authorities and is supporting their investigations.
Although Marriott’s investigation is ongoing, it said it has no reason to believe the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs or driver’s license numbers.
Marriott carries cyber insurance and is working with its insurers to assess coverage. The company said it does not believe that its total costs related to this incident will be significant.