Lessons Learned from the Marriott Hack of 2022


The Marriott hotel chain has been plagued by a series of unfortunate events over the last few years. In 2022, a data breach of the Marriott hotel chain occurred for the third time in four years, this time primarily affecting credit card data and internal documents pertaining to company operations.

While this incident was not as severe as some of the earlier Marriott data breaches, it shows that the hotel chain is still actively being targeted by cyberattackers, a common occurrence for companies that have been hacked in the past.

Hotel chains across the country would do well to study the latest Marriott hack in detail, so they can learn how their technologies failed and apply this lesson to their own network and IT services. We’ll explore the latest Marriott hack in detail, as well as some of the other cybersecurity incidents that have plagued this hotel chain and explain how other hotels can learn from their failures.

A History of Data Breaches at Marriott

Unfortunately for company and IT leaders, Marriott has a history of data breaches and cybersecurity issues. By examining the thread of these cybersecurity problems, we can identify common patterns and learn from their mistakes. 

The 2018 Breach

In 2018, a massive data breach was identified in the guest database of the Starwoods hospitality company, a large vacation rental, hotel, and resort organization purchased by Marriott International in 2016. Although the breach was detected in 2018, the actual break-in happened in 2014.

Before the hotel chain noticed, hackers were able to copy more than 5.25 million unencrypted passport numbers and 383 million booking records. Additionally, the hackers stole 8.6 million encrypted credit card numbers and 20.3 million encrypted passport numbers, which were protected as long as the encryption holds. Once the damage was done, it was one of the largest data breaches in history.

The 2020 Breach

In yet another data breach, Marriott International announced on March 31st, 2020, that the property system of another franchisee had been hacked. This time, personal information from 5.2 million guests was stolen, including names, phone numbers, addresses, and dates of birth. The hack was made possible by stealing two employees’ login information, which the bad actors then used to gain access to the system to steal customer data.

The Marriott 2022 Data Breach: How Did It Happen

In June 2022, the Marriott hotel was hacked again when an unnamed hacking group targeted the hotel chain and used social engineering to steal passwords, which they then used to access their internal system.

The hacking group used their access as leverage in an attempt to extort money from Marriott, which the company did not pay. In the end, the hackers made out with 20 gigabytes of sensitive customer data, including personal information and credit card numbers.

Lessons Learned from the Marriott Data Breach 

By looking at the various Marriott breaches in-depth, IT professionals and hospitality business leaders can start to learn where similar vulnerabilities exist within their own systems. This knowledge is the first step toward developing a more informed and proactive cybersecurity approach.

Here are some of the top lessons that hospitality organizations of any size should be taking from the previous Marriott data breaches. 

Train Employees on Social Engineering

In the 2022 Marriott hack, cyberattackers gained access to their internal system through social engineering. Bad actors use this common tactic to trick employees into giving up sensitive information that they would never otherwise disclose. 

First, the bad actor identifies their victim and collects data on them to craft a believable story. Then, they engage the target and use the collected details to trick them into giving up login or access credentials. They then use those credentials to impersonate a legitimate user to gain access to the system and steal information.

Spotting these social engineering attacks is challenging, but training your employees can help. Giving them examples of popular social engineering techniques and showing them ways to defend against them can give them more confidence in turning away would-be hackers.

Set Up Alerts for Suspicious Activity

In the latest Marriott hack, Marriott IT leaders were able to get ahead of the incident before any extortion attempts were made because they were alerted almost immediately to the hacking incident after it occurred. They then communicated with the hackers, trying to negotiate a settlement, although they did not end up paying a ransom.

They were able to gain leverage in the situation largely because they were immediately notified of the unauthorized entry. Setting up alerts for suspicious activity helps to avoid problems like the 2018 data breach, which went undetected for four years.

Employ Zero Trust Architecture

Even if one terminal or network access point is hacked, keeping it separate from the rest of your network can prevent threat actors from getting too far into your system. This approach is known as zero trust architecture. By requiring your system to validate every stage of an interaction, you can catch suspicious activity much earlier and isolate it from causing widespread damage.  

Learn from Past Attacks

If your business is unlucky enough to get hit by a data breach, it’s essential to learn from your experience and implement more powerful safeguards. As Marriott has seen, being the victim of a data breach puts you at additional risk for more hacking attempts in the future. If you’ve been hit once, there’s a good chance you’ll get hit again. 

A Smaller Size Doesn’t Protect You

Unfortunately, small and medium-sized businesses are at just as much risk for cyberattacks as larger companies. In fact, recent research suggests that smaller businesses are actually more vulnerable. 43% of data breaches involve small and medium-sized businesses, and 83% of affected companies cannot financially recover, forcing them to alter their operations or close entirely.

Since hotels deal with so much personal information from guests, they must understand the risks they face and step up to ensure they can protect this sensitive data. If they cannot, they may find themselves dealing with a Marriott-style breach with even fewer resources to help them survive. 

Protect Your Hotel from Data Breaches

In addition to implementing all the suggestions we laid out above, hospitality businesses must take additional steps to protect their hotel from data breaches. The most important protective measure is to ensure your technology stack is proactively defended against threats.

If you don’t have the expertise, budget, or time to take on this project yourself, get in touch with us. We have extensive experience in helping deliver actionable threat intelligence that companies can use to protect their organization from cyberattacks.