Ransomware victim disclosure
← All victimsFour Points by Sheraton (Marriott International)
listed as four-points.marriott.com · Claimed by LockBit · listed 7 months ago
Status timeline
- ListedDec 7, 2025
- Data leakeddate unknown
At a glance
- Group
- LockBit
- Status
- Data leaked
- Country
- United States
- Listed on leak site
- Dec 7, 2025
About the victim
AI dossier — public-source company profileFour Points by Sheraton is a global mid-scale hotel brand owned and operated under Marriott International, offering business and leisure travel accommodations across hundreds of locations worldwide. The brand emphasizes comfortable, casual stays with amenities such as fitness centers, meeting spaces, and locally crafted food and beverage offerings. It is part of Marriott Bonvoy's portfolio of over 30 hotel brands.
- Industry
- Hospitality & Hotel Management
- Employees
- 10001+
- Founded
- 1995
Attack summary
Severity: critical — Marriott International manages a loyalty program with hundreds of millions of members globally; a confirmed data publication by LockBit against this entity implies potential exposure of PII at massive scale, including traveler profiles, payment-linked loyalty accounts, and reservation data — all regulated/sensitive categories.LockBit claims to have attacked the Four Points by Sheraton / Marriott Bonvoy entity associated with the domain four-points.marriott.com, with the disclosure status listed as data_published, indicating exfiltrated data has been released. The specific data types and volume were not detailed in the leak post excerpt.
Data the group says was taken
AI dossier — extracted from the leak post- Guest personal information
- Loyalty program (Marriott Bonvoy) member data
- Hotel reservation records
- Employee records
- Business event and meeting data
What the group claims
Marriott Bonvoy™, an award-winning travel program, offers a brand for every type of journey. Earn an...
Sources
- Victim sitefour-points.marriott.com
Source
Indexed 7 months agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

