Marriott International Inc. said a data breach in February led to unauthorized access of account details for as many as 5.2 million customers.
The Maryland-based hotel company discovered malicious actors using login credentials of two employees to access customer information, Marriott said in a statement.
The accessed information included contact details, loyalty account data, birth dates, and hotel preferences, the statement said. Payment card data, passport information, and driver’s license numbers weren’t accessed, Marriott said.
Companies often face regulatory action and class litigation after a data breach. Marriott is facing regulator actions and class litigation over a 2018 breach that exposed guests’ information in its Starwood database dating back to 2014.
The company didn’t immediately respond to a request for comment.
Marriott in its statement said it disabled the login credentials, started an investigation, and implemented increased data security monitoring. It is also offering one -year of free credit monitoring to impacted customers.
Marriott customers filed suit in 2018 over alleged data security failures that led to the breach that year. Banks that serve Marriott also filed suit in 2018 over alleged monetary losses tied to the breach. Both cases are ongoing.
The U.K.'s lead privacy authority, the Information Commissioner’s Office, announced in July 2019 its intention to fine Marriott 99 million pounds ($122.6 million) for the 2018 data breach. The ICO, however, has yet to file formal charges in the Marriott action.