Marriott International today revealed that the personal information of roughly 5.2 million hotel guests was impacted in a data breach incident detected at the end of February 2020.

"At the end of February 2020, we noticed that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property," the company said in a statement.

"We believe this activity started in mid-January 2020. Upon discovery, we immediately ensured the login credentials were disabled, began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests."

Breach notification letter (Mauro Servienti)

Although an investigation of this incident is ongoing, Marriott says that currently there is no "reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers."

Marriott has set up a self-service online portal for guests who want to determine whether their info was involved in this data breach and, if so, what categories of personal data were involved.

In addition, Marriott Bonvoy members who had their information potentially exposed in the incident had their passwords disabled and will be requested to change their password on the next login, as well as prompted to enable multi-factor authentication.

According to Marriott, the following guest information might have been involved in the breach, in various combinations for each of the affected customers:

• Contact details (e.g., name, mailing address, email address, and phone number)

• Loyalty Account Information (e.g., account number and points balance, but not passwords)

• Additional Personal Details (e.g., company, gender, and birthday day and month)

• Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)

• Preferences (e.g., stay/room preferences and language preference)

Marriott is also offering affected guests the option to enroll in the IdentityWorks personal information monitoring service, free of charge for 1 year.

The company also alerted relevant authorities about the incident and is supporting ongoing investigations.

This is the second data breach Marriott has reported in the last two years as the company also announced in November 2018 that its Starwood Hotels guest reservation database was breached.

As Marriott said at the time, signs of unauthorized access were detected as far as 2014, compromising the personal information of approximately 339 million guest records globally.