According to a statement released by Marriott International, the personal information of around 500 million people has potentially compromised in a hacking incident. This breach is viewed as having General Data Protection Regulation (GDPR) impacts in the European Union.
The data privacy breach was identified by Marriott International around September 10, although the breach dates back to 2014 when the hacker first gained access to the a database containing the personal information of individuals who had made bookings at the Starwood Hotels and Resorts group, which was acquired by Marriott two years ago. The group includes the hotel chains W, Le Méridien, Westin and Sheraton.
In a press release, Marriott International’s President and Chief Executive Officer said the company expressed deep regret that this incident occurred and admitted the failure in meeting the expectations of the guests. The company is doing all it can to assist guests and will learn from mistakes and take steps to prevent similar breaches from occurring in the future.
Marriott remarked that the investigators have not finished deduplicating data, but it is believed that up to 500 million guests who made bookings have been affected. The press statement also mentioned that the information of about 327 million guests included a combination of names, email address, mailing address, telephone number, passport number, birth date, gender, Starwood Preferred Guest (“SPG”) account details, arrival and departure details, date of reservation, and contact preferences.
Encrypted credit card information may also have been stolen. While encrypted data cannot be viewed without two keys to unlock the encryption, Marriott has suggested that information may also have been stolen. The attacker also encrypted the database. It took until November 19, 2018 for Marriott to decrypt the Starwood guest reservation database.
Considering the global reach of this hotel group, it is likely that there will be GDPR implications if any of the customer information belong to residents in the EU. If there has been a GDPR violation, the group may be fined up to 4% of annual global income or €20 million, whichever amount is higher.
GDPR legislation requires breach notifications to be sent to the local data protection authority within 72 hours of the date of discovery. Marriott has notified the Information Commissioners Office in the UK which is making enquiries.
Marriott International is giving affected customers in the United States free access to the WebWatcher. This is a web-based application that keeps track of online activity on websites and identifies the distribution of personal data and sends a warning to subscribers if suspicious activity is discovered.