Thu | Jul 7, 2022 | 3:39 PM PDT

Fool me once, shame on you. Fool me twice, shame on me. Fool me three times and, well... let's just say that some people might be looking for a new job.

Marriott International has confirmed that it was victim to another data breach, its third since 2018, as an anonymous group of threat actors says it was able to successfully exfiltrate 20 GB of data, which includes credit card and other confidential information. was contacted by the alleged group of hackers, who provided some information on the breach. DataBreaches learned that the files contained in the breach came from BWI Airport Marriott in Maryland.

After speaking with the anonymous group, DataBreaches reached out to Marriott's CISO, Arno Van Der Walt, who agreed to speak with their counsel. Marriott confirmed the incident and that data was exfiltrated, but played down the significance of the breach.

The cause of the breach? Social engineering. The threat actors allegedly fooled a single associate at the hotel into giving them access to their computer.

Marriott claims it had already identified the incident before DataBreaches contacted them and that the incident was contained in less than six hours. It also says that most of the stolen data was "non-sensitive internal business files," and that it will be contacting approximately 300-400 affected individuals. 

While the data breach might not contain any truly sensitive information, the hacking group said it was astonishingly easy to access:

"Their security is very poor, there were no problems taking their data. At least we didn't get access to the whole database, but even the part that we took was full of the critical data."

More trouble for Marriott

This recent data breach is the third significant breach since 2018 for Marriott International.

In November 2018, Marriott Starwood's reservation database was breached, resulting in 500 million guests personal information leaked to the Dark Web for cybercriminals to purchase. This breach was due to old systems Starwood used before being acquired by Marriott in 2016.

In February 2020, Marriott experienced a data breach that affected 5.2 million guests after employee credentials were stolen.

While it is difficult to defend against a social engineering scheme that targets a single worker, this breach serves as another good reminder for organizations to practice and teach cybersecurity hygiene to all their employees, regardless of department or role.