In a year that has seen a number of reports that suggest how costly a past data breach may be for Marriott in Canada as well as the U.K. and U.S., Marriott is disclosing yet another breach.
On October 30, Marriott International notified the California Attorney General’s Office of a breach at an unnamed vendor that impacted some of its associates. Their notification described the incident this way:
Marriott learned on September 4, 2019, that an unknown person gained access to information about certain Marriott associates by accessing the network of an outside vendor formerly used by Marriott. Once we became aware, Marriott immediately confirmed that the vendor was taking appropriate to steps to investigate the incident. The vendor reported that it was working with a forensic firm and had notified law enforcement. This vendor served as Marriott’s agent for receiving service of official documents, such as subpoenas and court orders. A document containing your information was sent to this vendor, and it was accessed during the incident. This incident did not impact the security of Marriott’s internal HR systems or platforms.
What Information Was Involved
The information in the document received by this vendor that contains your information includes your name, address, and Social Security number.
The date of the breach at the vendor’s was not disclosed.
Marriott is offering those notified one year of complimentary protection services with Experian’s® IdentityWorksSM Credit 3B program.
In an Appendix to their submission, Marriott disclosed that the documents that were accessed included documents relating to 1,552 California residents. The total number of individuals impacted was not disclosed. Marriott also noted it “has already
terminated its relationship with the vendor,” and the vendor has confirmed that it
securely removed all information regarding Marriott associates from its network.
DataBreaches.net sent an email inquiry to Marriott seeking clarification as to whether the vendor was a former vendor at the time of the breach or only became a former vendor because of the breach. This site also inquired as to the total number of associates, nationwide, that were impacted. Other details were also requested. This post will be updated if a response is received.
Update: On Nov 4., this site received a response from Jeff Flaherty, Global Communications & Public Affairs for Marriott. They did not answer any of this site’s questions:
Although we understand your interest, Marriott’s notification that you saw on the California Attorney General’s website contains the information that Marriott is providing. Marriott is notifying all associates involved. If you do choose to use any of the information provided, please attribute to a Marriott spokesperson. Thank you.