Marriott hotel chain employee data leak. Why do companies allow this to happen?

Marriott International hotel chain has alerted its associates about a cyber security incident that could negatively impact the security of some associate’s data (specifically their social security numbers), after an unidentified threat actor accessed network of an outside vendor formerly used by Marriott, data protection experts reported. This incident did not involve or impact the security of Marriott’s systems or platforms. A limited number of current and former Marriott US employees’ information was involved in the incident, and all of these employees are in the process of being notified by Marriott in accordance with US legal requirements.   

The company mentions that exposure of information stems from a cyberattack suffered by an external vendor which previously had worked for Marriott: ” Marriott learned on September 4, 2019, that an unknown person gained access to information about certain Marriott associates by accessing the network of an outside vendor formerly used by Marriott ,” the company’s statement says.

Apparently, this vendor worked for Marriott receiving official documents (citations, court orders, etc.). The vendor acted as Marriott’s agent for purposes of receiving service of official legal documents such as subpoenas and court orders.  included some partners’.  No partners were involved, only a limited number of employees mentions data protection specialists.

After detecting this information exposure, Marriott contacted the third party provider, which ensured that they are handling this incident in the best possible way; ” We have been in frequent contact with the vendor since we learned what occurred to ensure appropriate action is being taken in response.  Marriott has already terminated its relationship with the vendor, and the vendor confirmed that it has securely removed all information regarding Marriott associates from its network,” the hotel chain added.

As a security measure for affected associates, Marriott announced that they will be provided them with a free identity theft protection service for one year or two years depending on US state law requirements.

Although the company learned about this incident two months ago, the incident could not be publicly disclosed, as it was necessary to inform each affected associate directly before, in addition to notifying the competent authorities. All affected current and former Marriott associates will have been notified by early next week. Marriott has identified and reported the final number of affected employees to US regulators in accordance with US legal requirements.

This is not the first security incident reported by Marriott. About a year ago, data protection specialists from the International Institute of Cyber Security (IICS) reported that a hacker group managed to compromise the databases of Starwood, one of Marriott’s multiple brands, exposing almost 383 million records and not unique guests as there were multiple records for same guests.