The investigation of a General Data Protection Regulation (GDPR) breach by the Marriott Hotels Group revealed fewer people were impacted by its data breach than initially thought. Despite this, Marriott Hotels group is still facing a financial penalty of up to $915 million for violating the European Union legislation.
At first, the breach was reported to have compromised the private data of about 500 million people. But now, it is believed that 383 million individuals were affected. The compromised data is thought to include unencrypted passport information together with 20.3 million encrypted passport numbers. The stolen information could possibly be used for illegal transactions and identity theft.
The investigation is still ongoing in the countries that the Marriott Hotel Group operates. The country’s local data protection bodies are reviewing the data breach and are assessing its impact. The GDPR legislation can subject a violating entity to a maximum penalty of up to €20 million or 4% of annual global income for the preceding year, whichever amount is higher. Marriott reported an annual global income of $22.89 billion in 2017. In this instance, the fine that the group might be required to pay is $915 million.
Marriott responded quickly to the breach and has offered compensation to all individuals potentially impacted by the data breach to allow them to get their passports reissued, hence reducing the risk of fraudulent use of their information. Additionally, the Marriott Hotel Group created an online portal and is responding to questions from customers in relation to the data breach. A dedicated call center has also been set up to handle queries.
Even so, the reports today reveal that the Marriott Hotels Group will face class action lawsuits in the U.S. On January 9, a class action lawsuit was submitted in Maryland federal district court. The case covers plaintiffs in several US states where data protection laws were allegedly breached. The Marriott Group has been accused of engagement in “deceptive, unconscionable, and substantially injurious practices.”
This incident demonstrates the value of making sure that all information systems are protected properly and GDPR requirements are followed.