A LoyaltyLobby reader sent me a link to a piece published yesterday by CYBERSCOOP about a data breach that had taken place at the BWI Airport Marriott hotel.
Based on the information released, it appears that most of the data stolen were local to this specific property, and the hacker(s) that had used “social engineering” to access an employee’s computer didn’t penetrate Marriott’s corporate network.
The hacker group, who made this information public, had apparently first tried to sell it to Marriott (blackmailing essentially), who had declined, as they should.
The stolen data included airline signing sheets as published by DatabReaches.net:
The most important information here is that AA pays BWI Airport Marriott 85 + taxes for each room occupied by its employees.
The Marriott released the following statement to CYBERSCOOP:
A Marriott spokesperson told CyberScoop that the company “is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer.” The access “only occurred for a short amount of time on one day. Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay.”
So, it seems that someone had access to a computer at this property where an employee had signed in using their credentials.
Then the “hacker” essentially downloaded all the files available to this person that apparently were roughly 20GB in size.
It is unclear if guest information beyond these airline sign-in sheets was stolen. In addition, some employee evaluations and other information proprietary to this hotel were leaked.