Massive Data Leak Exposes Nearly 5 Million Hospitality Guests in Spain and Austria Security researchers at Cybernews uncovered a major data breach involving Spanish and Austrian hospitality platforms, exposing nearly 5 million users’ personal information. The incident stemmed from an attacker who compromised 527 accounts belonging to hotels and hosts, using them to extract sensitive data via automated Python scripts. The stolen data totaling 6.5GB was left unprotected on an open server, allowing researchers to access it. The breach affected platforms like Chekin (a Spain-based automated check-in service) and Gastrodat (an Austrian hotel management software provider), with records pulled from over 170 facilities worldwide. The exposed data includes guest names, email addresses, phone numbers, birth details, ID document numbers, reservation IDs, stay dates, and property addresses. In some cases, internal safety flags and account credentials including JWT tokens were also compromised. Gastrodat alone accounted for 361,000 booking records (11.6 million entries), while Chekin exposed 311,400 records, including 253,000 ID document numbers. The attacker used Telegram to forward the stolen data in real time, though the unsecured server ultimately led to its discovery. The scale of the leak highlights vulnerabilities in hospitality sector security, with millions of travelers and guests now at risk of identity theft and fraud.

Marriott International Inc. faced a major data breach involving its Starwood-branded hotels, exposing the personal information of up to 383 million guests. The breach, which led to consolidated litigation, included sensitive customer data such as names, addresses, passport numbers, and payment details. The city of Chicago filed claims against Marriott, but the case was dismissed with prejudice after a settlement was reached. The incident underscores the severe consequences of large-scale data leaks, particularly in the hospitality sector, where trust and data security are critical. The breach not only risked financial fraud and identity theft for affected guests but also damaged Marriott’s reputation, leading to legal repercussions and regulatory scrutiny. The scale of the exposure—affecting hundreds of millions—highlights the systemic vulnerabilities in handling customer data across global operations.

Hotel giant Marriott International suffered a data breach after an unknown threat actor breached one of its properties and stole 20GB of files. The hackers stole 20GB worth of documents containing non-sensitive internal business files and some credit card information. Marriott hired a third-party security firm to investigate the incident and notified the affected individuals.

Hotel giant Marriott International suffered a data breach after an unknown person gained access to information about certain Marriott associates by accessing the network of an outside vendor formerly used by Marriott. Marriott immediately confirmed that the vendor was taking appropriate to steps to investigate the incident. The vendor reported that it was working with a forensic firm and had notified law enforcement. This incident did not impact the security of Marriott’s internal HR systems or platforms. The information in the document received by this vendor that contains your information includes your name, address, and Social Security number. Marriott hired a third-party security firm to investigate the incident and notified the affected individuals.

The California Office of the Attorney General disclosed a major data breach at Marriott International, Inc. on November 30, 2018, stemming from an unauthorized access to the Starwood guest reservation database. The breach, which began on or before September 10, 2018, exposed the records of approximately 500 million guests, with 327 million individuals having sensitive personal data compromised. This included names, mailing addresses, email addresses, and encrypted payment card numbers, though the encryption status of the latter was not confirmed to be broken. The incident originated from a vulnerability in Starwood’s systems, which Marriott had acquired in 2016, highlighting a failure in post-merger cybersecurity integration. The breach posed severe risks of identity theft, financial fraud, and reputational damage, given the scale and sensitivity of the exposed data. Regulatory investigations followed, with Marriott facing significant legal and financial repercussions, including fines under GDPR and other data protection laws. The incident underscored critical gaps in third-party risk management and the protection of customer data in large-scale corporate acquisitions.