Marriott Hacked (Again): Have You Been Bonvoyed?

Some links to products and travel providers on this website will earn Traveling For Miles a commission that helps contribute to the running of the site. Traveling For Miles has partnered with CardRatings for our coverage of credit card products. Traveling For Miles and CardRatings may receive a commission from card issuers. Opinions, reviews, analyses & recommendations are the author’s alone and have not been reviewed, endorsed or approved by any of these entities. For more details please see the disclosures found at the bottom of every page.

If you’ve ever had any dealing with Marriott you’ll probably already know that its IT systems are pretty useless but what you may not know is that its IT systems aren’t very secure. In fact, their security appears to be laughably easy to circumvent.

The last Marriott hack was revealed in November 2018 but that hack specifically related to the legacy Starwood systems and, as poorly as Marriott managed that crisis, the problem wasn’t one of Marriott’s making…but this one certainly is.

What We Know

Marriott has confirmed that at the end of February this year, it noticed that the login credentials of two employees at a franchise Marriott property were being used to access customer information and the hotelier believes that the activity to harvest customer information stated around the middle of January this year.

Marriott has stated that it “has no reason to believe” that any customer account details (passwords, pin numbers, etc…) have been compromised nor does Marriott believe that any personal or financial data has been illegally accessed – this is where this hack differs significantly from the Starwood hack in which a lot of personal data was compromised.

At the current time, Marriott believes that up to 5.2 million guests may be affected by this hack and that the following data on these guests may have been compromised:

• Contact Details (e.g., name, mailing address, email address, and phone number)
• Loyalty Account Information (e.g., account number and points balance, but not passwords)
• Additional Personal Details (e.g., company, gender, and birthday day and month)
• Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
• Preferences (e.g., stay/room preferences and language preference)

Not all affected guests will have had all of this data compromised but if you are caught up in this, it’s probably safest to assume that it has been.

Marriott’s Response

Marriott has been informing affected Bonvoy members of this breach via email since yesterday (31 March 2020) but with 5.2 million emails to send, not everyone who has been caught up in this may have received their email yet.

Note: Emails are being sent from marriott@email-marriott.com 

The best way of knowing if your details were accessed illegally is to try to access your Bonvoy account online – Marriott has disabled the passwords of all the accounts it has flagged as being affected so if you’re part of this mess, you’ll be asked to change your password. If you can log in to your account without issue you’re probably in the clear.

If you’re not a Bonvoy member but have stayed with Marriott in the recent past or if you’re a Bonvoy member who wants a further check to see if your details have been compromised, Marriott suggests that you visit this dedicated site where you can enter your details and (apparently) find out if you’ve been affected…and to what degree.

It should be noted that I haven’t received an email and my account isn’t locked but I still went ahead and inputted my information into the support page (to see what would happen) and all that I saw was an error message.

Either Marriott has a very strange way of letting me know that I’m not caught up in the breach or this is yet another not of Marriott-related IT that’s not working properly.

In addition to letting people know that they gave their information away, Marriott is offering affected guests a year’s membership of IdentityWorks (a monitoring company run by Experian) and it has created a support page to answer most questions that guests may have.

Bottom Line

This is more than a little embarrassing for Marriott…especially as it can’t say that this breach didn’t take place on its watch (as it was able to do with the Starwood breach).

It’s interesting to note that, at the time of writing, Marriott makes no mention of this incident anywhere on its homepage (unlike with the previous breach) so it appears to be in full-on damage limitation mode and doing its best to make sure that only those who absolutely have to know about the latest incident (all 5.2 million of them!) get to find out. Good luck with that!

I really don’t know what more to say at this point except that it’s now more obvious than ever that you shouldn’t entrust any corporation/business/person with more information than you have to. If a form that you’re asked to fill out says that a section is optional, don’t fill that section in. If a corporation doesn’t demand all your info, don’t provide all your info – this isn’t complicated stuff.

Assume that whatever information you’re passing over to others will probably be compromised sooner or later and act accordingly.