Marriott International notified some of its associates of an incident that exposed their social security numbers (SSNs) to an unknown party.
An unknown individual may have accessed the information from the network of an unnamed vendor that was acting as the hotel’s agent for receiving service of official documents.
Data was on third-party systems
Marriott learned on September 4 that someone accessed sensitive information available in official papers, like subpoenas and court documents, present on the systems of an outside vendor, formerly used by Marriott.
“A document containing your information was sent to this vendor, and it was accessed during the incident,” reads a letter to affected individuals signed by Peggy Hassinger, Vice President, Associate Relations.
Details about the circumstances that made access possible have not been disclosed. What is clear, though, is that the vendor received official documents regarding certain Marriott associates and that data was “accessed or accessible” during the incident.
At least 1,552 individuals are impacted. On October 30, the hotel started to notify via mail the people for whom an address could be found.
All of them now have one year of free credit monitoring and identity theft protection services from Experian’s IdentityWorks Credit 3B, provided by Marriott.
Trouble contacting people
Marriott says that a list with the potential victims received from its former agent did not include addresses for most. This is probably a factor contributing to delivering the notification almost two months after the potential breach became known.
“Marriott has been working to identify addresses for all associates. There are a few associates left where Marriott is still working to find an address. Marriott will mail letters to those few remaining associates as soon as the addresses are found.”
At the time of the discovery, Marriott learned from the affected vendor that they were already investigating with a forensics company and law enforcement had also been notified.
The vendor is no longer working with the hotel and confirmed that it securely deleted from its network data regarding Marriott associates.
Compared to the breach disclosed last year, where intruders accessed a Starwood reservation database with personal details of 383 million guests, this seems like a minor incident. In all fairness, the unauthorized access to Starwood’s reservation system had been happening since 2014, before Marriott acquired their properties.
At the beginning of this year, it was revealed that the Starwood database contained 5.25 million unencrypted passport numbers.