Book a Demo
Industry Insights

Marriott experienced a data breach – Again!

The hotel giant Marriott confirmed a new data breach, this time involving the personal information of 5.2 million guests.

Marriott experienced a data breach – Again!
Admir Dizdar
April 3, 2020
5 minutes

The hotel giant Marriott confirmed a new data breach, this time involving the personal information of 5.2 million guests.

According to an online notice that Marriott posted on Tuesday, the attack was carried out via a third-party software that Marriott’s hotel properties use to provide guest services.

Marriott discovered the breach in late February. The hackers obtained the login credentials of two employees and broke in weeks earlier, in mid-January.

While Marriott said it has “no reason” to believe payment data was stolen, data like names, addresses, phone numbers, loyalty member data, dates of birth and other travel information were stolen in the breach.

The hotel giant also is forcing password resets for Bonvoy loyalty club members, who will also be prompted to enable multi-factor authentication on their accounts.

This is the Second Marriott breach in two years

This was not the first time that Marriott experienced a data breach. Back in 2018, Starwood, a subsidiary of Marriott, was hacked and personal data and guest records on 383 million guests were exposed. 

The data included five million unencrypted passport numbers, in addition to more than 20 million encrypted passport numbers.

Passport numbers can be used for identity theft and to commit fraud. They are also data that remains highly valuable for spy agencies. Spy agencies can use the information to track down where government officials, diplomats and adversaries have stayed. This gives insight into what would ordinarily be clandestine activities.

Marriot also stated that 8.6 million unique payment card numbers were stolen, but only 354,000 cards were active at the time of the breach.

According to the statement by the company, there is no evidence the hackers stole the keys needed to decrypt the data, but did not say how they came to that conclusion.

The company said the contents of the stolen data were from the Starwood guest reservation database. Marriott acquired the database when it bought Starwood and its 1,200 properties in 2016.

Starwood’s security lapse became the largest data breach that year, and remains one of the most damaging hacking incidents in recent history. 

In response to that breach, European authorities fined  Marriott $123 million.

5 Common Causes for  Data Breaches That Businesses Should Watch Out For

We compiled this list to help organizations prepare and prevent a breach like the one described above. 

No business wants to deal with the blot on its reputation and the huge loss of money that follows a data breach. In order to create a robust data security and network security strategy, it’s important for you to understand what causes a data breach in the first place. Here is a list of some of the most common causes behind data breaches you should watch out for:

  • Software or Network Vulnerabilities
  • Accidental Employee mistake
  • Malicious Misuse by Employee
  • Malware attack
  • Failure in Security of a Physical Device

Software or Network Vulnerabilities

Any software vulnerability that isn’t patched as soon as it is discovered is a convenient target for hackers. Make sure to test your software and find those vulnerabilities before the hackers do. If you can’t find the time or resources to test the software manually, use an automated application security testing solution like Bright.

Also please stay away from pirated software. While the fact that pirated software is illegal should be a reason enough to avoid it, what makes it even worse, it may contain all kinds of malware.

Since the network acts as a layer of protection, any faults in the network design or deployment could also lead to a data breach.

Accidental Employee mistake

From falling for a phishing scam to losing important documents containing confidential information, there is a wide range of mistakes that employees can make, causing a data breach. Lack of proper cybersecurity training as well as of stringent security policies can be blamed for these employee mistakes.

Malicious misuse by employee

Unlike the unintended employee mistakes, malicious misuse by an employee indicates something much more serious. Someone from the inside is intentionally sharing confidential business information for some sort of personal benefit. This cause of a data breach is extremely difficult for an organization to foresee. Defining clear user roles and setting suitable permissions for data and system use can help control access an employee has over business data.

Malware attack

Malvertisements and phishing are among hackers’ favorite ways of spreading malware. Malware attacks can quickly progress from its origin system, move into the network and infect other systems that come in its way. Installing an anti-malware software and keeping it updated is a must for any business. Educating employees about phishing and malvertisement is also essential.

Failure in security of a physical device

A data breach could also happen when a device is no longer secure; meaning the device is either lost or stolen. Those devices can be anything from a mobile device like laptop, smartphone, storage device, to servers. It’s not only important to keep the devices secure in the first place, but it’s also important to take extra measures, like encryption, for protecting the data on the device.

Stay safe out there!

More

What Our Customers Say About Us

"Empowering our developers with Bright Security's DAST has been pivotal at SentinelOne. It's not just about protecting systems; it's about instilling a culture where security is an integral part of development, driving innovation and efficiency."

Kunal Bhattacharya | Head of Application Security

"Bright DAST has transformed how we approach AST at SXI, Inc. Its seamless CI/CD
integration, advanced scanning, and actionable insights empower us to catch
vulnerabilities early, saving time and costs. It's a game-changer for organizations aiming to
enhance their security posture and reduce remediation costs."

Carlo M. Camerino | Chief Technology Officer

"Bright Security has helped us shift left by automating AppSec scans and regression testing early in development while also fostering better collaboration between R&D teams and raising overall security posture and awareness. Their support has been consistently fast and helpful."

Amit Blum | Security team lead

"Bright Security enabled us to significantly improve our application security coverage and remediate vulnerabilities much faster. Bright Security has reduced the amount of wall clock hours AND man hours we used to spend doing preliminary scans on applications by about 70%."

Alex Brown

"Duis aute irure dolor in reprehenderit in voluptate velit esse."

Bobby Kuzma | ProCircular

"Since implementing Bright's DAST scanner, we have markedly improved the efficiency of our runtime scanning. Despite increasing the cadence of application testing, we've noticed no impact to application stability using the tool. Additionally, the level of customer support has been second to none. They have been committed to ensuring our experience with the product has been valuable and have diligently worked with us to resolve any issues and questions."

AppSec Leader | Prominent Midwestern Bank

Book a Demo

See how Bright validates real risk inside your CI/CD pipeline and eliminates false positives before they reach developers.

Our clients:
SulAmerica Barracuda SentinelOne MetLife Nielsen Heritage Bank Versant Health

Platform

Resources

Company

Partners

Get our newsletter

Checkboxes

Bright All rights reserved © Bright Security 2026
Terms of service Privacy policy Cookies policy