In March 2020, Marriott International disclosed a second data breach (separate from the 2018 Starwood breach affecting 383 million guests) in which an attacker used the login credentials of two employees at a franchise property to access a Marriott guest services application. The breach occurred at some point before late January 2020 and was discovered on 31 January 2020 when Marriott was alerted to the unexpected data access. The attacker had access to the application from approximately January to late January 2020. Approximately 5.2 million guest accounts were accessed. Exposed data included names, addresses, email addresses, phone numbers, loyalty account numbers and points balances, birth dates, gender, communication preferences, company affiliations, room preferences, and language preferences. Encrypted payment card information and passwords were not compromised. Marriott contacted all affected guests and notified regulators worldwide. The UK ICO was notified and investigated (Marriott had ongoing engagement with the ICO following the larger 2018 breach). Marriott offered free identity monitoring services to affected guests. The breach raised questions about multi-factor authentication for employee access to sensitive guest data systems and the ability to detect anomalous access patterns — particularly when access was through legitimate employee credentials.