Important Information Regarding Security of PBX Phone Systems

---

Franchisees | Marriott Enterprise Security has been made aware of an attack on non-Marriott branded hotel PBX (phone) systems where the attacker is able to access the PBX by dialing into the attached modem and using the default administrator account and password (if the hotel has not changed the default administrator password).

After logging into the PBX as the administrator, the attacker changes the administrator password from the default password to a password only they know, making it extremely difficult for the hotel to regain control of the PBX system. Then, the attacker is able to change the auto attendant feature on the PBX for the option that says “if you would like to make a reservation, press X” in order to redirect calls from the hotel’s reservation center to another call center where they can pretend to take the reservation and obtain the guest’s credit card information.

The following actions are being provided as guidance for franchisees:

• Turn off the attached modem if it is not needed for an active support call.
• Contact your PBX vendor to determine if the password for the administrator account has been changed to something other than the default. If the password has not yet been changed, it should be changed immediately. Marriott’s standard for administrator accounts is a password that is 12-25 characters in length (or the maximum number of characters supported by the system) including alpha-numeric, special characters, upper and lower case, and no common words greater than 3 characters.

As a reminder, default passwords should never be used for any hotel system. We appreciate your prompt action to address this important security issue.