Marriott is in the news again for a data breach, but this time it appears to be contained to one of the hotel chain’s locations. Social engineering was used to trick an employee at a Baltimore location into giving up access to the local network, which the attackers used to filch some 20GB of data.
Marriott says that most of the stolen data was comprised of relatively harmless “business information,” but around 400 credit card numbers were compromised. Photos of several of the credit cards that were leaked to a data breach reporting site indicate that some amount were corporate cards used to book reservations for traveling airline staff.
Marriott data breach hits property near Baltimore airport
The property in question was the BWI Airport Marriott of Baltimore, and the company says that it has contacted guests that were impacted by the data breach. Though not as bad as prior incidents, the social engineering attack is another in a chain of security lapses that trace back to a massive 2014 breach that exposed nearly all of the company’s customers and was not discovered until 2018.
The social engineering approach apparently ensnared a member of the BWI Airport Marriott staff, who gave up access to their account. This access appears to have been limited to the local property, with the breach not extending into the Marriott corporate network.
The attacker was nevertheless able to make off with some sensitive and valuable information, primarily scans of the front and back of some number of corporate credit cards used by airlines to book rooms for their staff. These were tied to printed records that also indicated the dates of the bookings, the name of the traveler, room number and their check-in and check-out times.
The breach window appears to have been about six hours (most likely sometime in May), but the attacker was able to plunder the location’s files during that time. This includes some potentially sensitive information about employees, including performance reviews and salary information.
Incident highlights underlooked threat of social engineering
Organizations are rightly concerned with ransomware and malware, but old-fashioned social engineering should not be overlooked.
Social engineering will always be attractive to attackers as it is a route past potentially sophisticated technical defenses; trick one employee into giving up a login, and you can walk right past an entire defensive perimeter. It’s unclear exactly how the social engineering was done in this incident, but a common approach with corporate chains is for the hacker to pretend to be from a central IT department that needs access to address a problem in the computers.
This is another aspect of cyber crime that has been on the rise in recent years, as companies increasingly adopt work-from-home models and those workers interface with remote IT staff when issues come up with the devices they use to access the company network from home. Regular security awareness and data breach training should absolutely include modules on social engineering, but security experts also recommend layered technological defenses that keep attackers from leveraging a compromised employee account to move further into the network.