Marriott, Hilton become victims of customer data hack

Marriott International and Hilton Worldwide have warned their customers that their e-mail addresses may have been leaked, following a security breach at the US marketing firm Epsilon.

The two hotel chains were amongst numerous companies whose customer data was stolen after a hacker gained access to Epsilon’s accounts.

However, Epsilon says the breach involves only customer names and e-mail addresses from a proportion (2 per cent) of its client base. No financial information was included in the breach, it said.

Both Marriott and Hilton have contacted customers and issued statements confirming the breach.

Epsilon data breach

Marriott International said it a statement yesterday that it was “notified by Epsilon, a marketing vendor used by numerous companies, including Marriott, to manage customer emails, that an unauthorised third party gained access to a number of Epsilon’s accounts, including Marriott’s email list.

“The unauthorised person(s) had access to names and email addresses only, not to sensitive customer information, such as physical addresses, point balances, account logins and passwords, credit card information or other personal data.”

A Hilton Worldwide spokesperson confirmed to BigHospitality: “We were notified by a database marketing vendor, Epsilon, that we are among a group of companies affected by an Epsilon data breach.

“The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. We are contacting those customers to inform them of this incident and remind them to avoid responding to unsolicited e-mails (spam).

“We are working with Epsilon to ensure similar incidents do not occur in the future."

Affected companies

The security breach is thought to have affected around 50 companies, based on Epsilon’s statement that 2 per cent of its 2,500 e-mail clients have been impacted.

Other impacted firms include UK-based Marks & Spencer, the US retail chains Kroger, Walgreens and Target, financial services firm JPMorgan Chase and recreation resort Disney Destinations.

Epsilon has confirmed that the breach occurred on 30 March, and said that “a full investigation is currently underway”.