Marriott will today notify up to 5.2 million guests of a possible data breach via email.

The “incident involving a property system” is believed to have come from an application at a franchise property which helps provides services to guests.

The hotel group says that it identified that “an unexpected amount of guest information” may have been accessed using the login credentials of two employees from mid-January to the end of February.

Marriott believes that the following information could have been attained:

  • Contact details
  • Loyalty account information (but not passwords)
  • Additional personal details, such as company, gender and date of birth
  • Partnerships and affiliations e.g. linked airline loyalty programmes
  • Preferences e.g. room/stay and language preference

Marriott disabled the login credentials upon discovery of the activity and says it is carrying out an investigation into the matter. The company has also “implemented heightened monitoring and notified relevant authorities”.

In a statement published today, the group said:

“Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, national IDs, or driver’s license numbers.”

In addition, if the group has determined that a Marriott Bonvoy member’s information was involved, it has disabled the existing password and prompted the guest to enable multi-factor authentication to further protect access to their account.

Marriott has also set up a dedicated website along with call centre resources to provide additional information to guests. The website and email will outline a list of steps guests involved can consider taking. Guests can also consider enrolling in a personal information monitoring service free of charge for one year.