Marriott’s email alerting guests about a massive data breach may have compounded the problem.
The email did not appear to be legitimate, and itself was easily spoofable, according to TechCrunch.
The notification email was sent from the domain "email-marriott.com," a domain registered to a third-party vendor CSC, TechCrunch says. But it lacked an HTTPS certificate, and was not easily discernable as genuine.
The danger is that cybersquatters will set up similar domains, it adds.
Similar confusion existed following the Equifax breach last year, when victims were inadvertently sent to a fake site set up by a developer to expose the firm’s weakness, the report states.
The report comes amid mounting legal problems for the hotel chain, and widespread speculation over possible GDPR penalties.
Yesterday, for example, a class action suit was filed against Marriott by the law firm of Kessler Topaz Meltzer & Check, LLP in the U.S. District Court for the District of Maryland.
The suit alleges that Marriott failed to implement proper cybersecurity measures and to notify customers of the breach in a timely way.
This follows the filing of several similar suits, including one seeking $1.2 billion in damages.
In addition, at least two shareholder suits have been filed against Marriott.
One, filed by the law firm of Bernstein Liebhard LLP, alleges that Marriott falsely claimed the security of its customer data in filings with the Securities and Exchange Commission, and that “share in Marriott’s stock fell sharply during intraday trading” after Marriott announced the breach last Friday.
The complaint asks that shareholders be compensated for their losses. The case is on file with the U.S. District Court for the Eastern District of New York.
In addition, RM Law, P.C. announced the filing of a shareholder suit.
Marriott announced the breach, exposing data on 500 million people, last Friday, and revealed that unauthorized access to the Starwood reservation database dated back to 2014.
The data on 327 million guests includes such details as name, email address, mailing address, phone number, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences, the company said.