The hotel brand said it is notifying guests of the incident, the information involved and the steps it is taking to investigate and address the issue.

It said towards the end of February, it identified an “unexpected amount of guest information may have been accessed” after the login details of two employees at a franchise property were used.

The breach is believed to have started in mid-January 2020 and said details of up to 5.2 million guests may have been accessed.

Details exposed include contact details, loyalty account information, partnerships and affiliations such as linked airline loyalty programs and numbers and customer preferences such as room and language preferences.

The company added it has no reason to believe that passwords, PINs, payment card information, passport, national IDs and driving licence details were exposed during this latest data breach.

After making the discover, it disabled the login credentials and launched an investigation, adding that it has also notified the relevant authorities.

Marriot has set up a dedicated website to provide customers with information.

A post on its website stated: “Marriott International announced that it is notifying some of its guests today of an incident involving a property system. The notice explains what occurred, the information involved, the measures taken by Marriott to investigate and address the issue, how Marriott is assisting guests, and steps guests can consider taking.

“Marriott carries insurance, including cyber insurance, commensurate with its size and the nature of its operations, and the company is working with its insurers to assess coverage. The company does not currently believe that its total costs related to this incident will be significant.”

This is the second time the group has suffered a data breach after it confirmed in 2018 the records of up to 500 million customers may have been exposed.

Aman Johal, director of consumer action law firm, Your Lawyers, said: “The latest data breach from the Marriott Hotel Group has come just two years after the last one was discovered.

“It’s worrying that the credentials for just two employees can lead to more than five million people’s data being put at risk. The fact that hackers were able to access the system simply by using employee log-in details should never happen.

“Although Marriott has launched a full investigation and notified those affected, it’s vital for the Group to reinforce its security systems and ensure that there are, at the very least, access restrictions and multi-layered security in place like two-factor authentication when it comes to access to such a monumental wealth of information. This is a major breach of consumer rights that has left people vulnerable from data exposure for the second time in two years.”

Johal added that after the previous breach discovered in 2018, the Information Commissioner’s Office issued a provisional intention to fine Marriott International £99m under the GDPR. This second breach means a new fine may be on the horizon.