This Week in Data Breaches: Marriott Hit by Second Major Data Breach

Welcome to this week’s round-up of the latest in data breaches, leaks, and privacy intrusions. This week: Marriott hit by major data breach for the second time in under two years, Zoom vulnerabilities could give attackers access to users’ microphones and webcams, and a data breach at Princess Cruises.

Marriott Exposed 5.2 Million Records in Another Major Data Breach

On Tuesday, Marriott disclosed a data breach that impacted 5.2 million customers. This marks the second time Marriott has been hit by a major data breach in the past two years. In 2018, Marriott International disclosed a massive breach of its Starwood reservation system that exposed the personal and financial information of over 300 million guests.

The company later determined that 383 million guest records were stolen, which included 18.5 million encrypted passport numbers, 9.1 million encrypted payment card numbers, 5.25 million unencrypted passport numbers, and 385,000 valid card numbers.

According to Marriott, the company learned of the latest breach at the end of February when it discovered that “an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.” The attackers had direct access to Marriott Bonvoy loyalty data, which included names, addresses, email addresses, phone numbers, account numbers, dates of birth, linked loyalty program numbers, and stay preferences of 5.2 million members.

Marriott said that passwords, account PINs, credit card numbers, passports, and driver’s license numbers were not compromised. If you are a Marriott Bonvoy member, you can check whether your information was exposed using a web portal the company set up to help affected customers. If you were affected, you may be eligible for one free year of identity monitoring. Marriott is prompting all Bonvoy members to change their passwords when logging into their accounts online.

Zero-Day Zoom Exploit

With a countless number of people now working from home due to the coronavirus pandemic, many of whom have turned to the company for video conferencing, Zoom has had quite the month. Now, however, the company is facing not one but two zero-day exploits.

On Wednesday, two security researchers shared two previously unknown Zoom security vulnerabilities with TechCrunch that make it possible for an attacker to gain access to a victim’s computer. Once the attacker has access to the victim’s computer, they can then install malware or spyware and gain access to the victim’s microphone and webcam.

The first exploit injects the Zoom installer with malicious code to give the attacker “root” privileges. Then, the attacker can use the second exploit to inject more malicious code that gives the attacker access to the users’ microphone and webcam. The exploits are for Mac only and requires the attacker to have physical access to the vulnerable computer.

Zoom has yet to issue a fix so if you have a Mac and use Zoom it would be wise to make sure strangers don’t have physical access to your computer, which is a good rule to follow regardless of known vulnerabilities or not.

Princess Cruises Hit by Data Breach

Princess Cruises, the cruise operator that was already reeling after suffering coronavirus outbreaks on-board two of its ships, announced that it detected unauthorized access of employee email accounts that contained personal information on employees, crew members, and guests. The personal information included names, addresses, Social Security numbers, passport numbers, credit card and financial account information.

In a notice posted to the company’s website, Princess said that it identified suspicious activity in May 2019 and determined that a third-party had unauthorized access to email accounts between April 11 and July 23, 2019. The notice was posted sometime in March. “As part of our regular process, we are undertaking a review of our security policies and procedures and implementing changes to enhance our security program. We take privacy and security of personal information very seriously,” said Jennfier Graone, Director of Data Privacy.

It is unclear why it took the company nearly a year to disclose the breach. Around the same time of the disclosure, Princess Cruises’ parent company, Carnival, announced it was suspending all global operations and shutting down its fleet of 18 ships following a coronavirus outbreak on one of its ships that led to the infection of more than 700 passengers and crew members.

For information on how to protect yourself from data breaches and identity theft, check out our in-depth security guides below:

• How to Protect Your Phone
• How to Protect Your Identity
• How to Protect Your Privacy
• The Ultimate Guide to Data Breaches

Bloom: Take Back Control of Your Data

At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.

It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!