New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Marriott Data Breach

Marriott International, a huge international hotel chain, has released information on a data breach that has affected roughly 5.2 million guests. In the release, they stated that at the end of February 2020, Marriott noticed that an “unexpected amount of guest information” was accessed using the login credentials of two employees at a franchise property. According to Marriott, the activity started in mid-January 2020. Once found, Marriot disabled the login credentials of the employees and began their investigation. In their statement, they stated that there is “no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.” However, Marriott disabled the passwords of all guests whose information was accessed and is prompting those guests to enable multi-factor authentication. The information compromised is:

 • Contact details (e.g., name, mailing address, email address, and phone number)
• Loyalty account information (e.g., account number and points balance, but not passwords)
• Additional personal details (e.g., company, gender, and birthday day and month)
• Partnerships and affiliations (e.g., linked airline loyalty programs and numbers)
• Preferences (e.g., stay/room preferences and language preference)

Analyst Notes

Security teams at companies should consider putting controls in place to detect unusual patterns of data access from legitimate accounts. Not only can this type of control detect attackers using compromised accounts, but it can also detect insider threats from employees abusing their access. It is important to implement multi-factor authentication (MFA) for employee accounts that can access sensitive information, in order to prevent attackers from gaining access by simply guessing or stealing an employee’s password. Marriott is offering affected guests the option to enroll in the IdentityWorks personal monitoring service free for one year. People who are affected should be on the lookout for increased phishing attacks. Don’t click on links in email messages claiming to offer information about the breach, especially if the web page they lead to asks for a password. Instead, go directly to the official Marriott support website ( for information. The information that was accessed is a treasure trove for attackers to tailor their campaigns for maximum success.