Marriott said Tuesday that hotel guests' names, loyalty account information and other personal details may have been accessed in the second major data breach to hit the company in less than two years.
Approximately 5.2 million guests worldwide may have been affected, the company said. The information taken may have included names, addresses, phone numbers, birthdays, loyalty information for linked companies like airlines and even room preferences. Marriott said it's still investigating but it doesn't believe credit card information, passport numbers or driver's license information was accessed.
Marriott has 7,300 hotel and resort properties across 134 countries, including the Ritz-Carlton, Sheraton and Westin chains. The company said it noticed an unexpected amount of guest information was accessed at the end of February using the login credentials of two employees at a franchised property. Marriott said it believes the activity began in mid-January. It said it has disabled those logins and is assisting authorities in their investigation.
The company didn't say whether the employees whose logins were used were suspects in the investigation. The company also didn't say if those employees remain on staff.
"The company does not currently believe that its total costs related to this incident will be significant," Marriott said in a statement.
Marriott has created a website, mysupport.marriott.com, and a call center to help affected customers. There's another website that helps people determine if they were affected.
In November 2018,in which hackers accessed information on as many as 383 million guests. In that case, Marriott said unencrypted passport numbers for at least 5.25 million guests were accessed, as well as credit card information for 8.6 million guests. The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016.
The FBI led the investigation of that data theft, and investigators suspected the hackers were working on behalf of China's Ministry of State Security, the rough equivalent of the CIA. At the time, it was one of the largest-ever cyberattacks on a company.
Marriott said it has informed guests of the new data breach. The Maryland-based company is offering affected guests free enrollment in a personal information monitoring service for up to one year.