Up to 500 Million People Affected in Marriott International Data Secrecy Breach

December 6, 2018


The secret private data of roughly 500 million people has been obtained in a hacking attack on Marriott International as per a statement filed with US watchdogs by the hotel chain previous Friday, December 1, which might also have General Data Protection Regulation implications in the EU.

The data secrecy breach was originally revealed on Marriott International databases around September 10 on its guests’ database. It is supposed that it might impact records going back as far as 2014. Marriott International is the parent company of a group of hotel chains including W, Westin, Le Méridien and Sheraton.

A public announcement by the President and Chief Executive of Marriott International said: “We deeply bemoan this incident occurred. We fell short of what our guests merit and what we expect of ourselves. We are doing everything we can to help our guests, and using lessons learned to be better moving forward.”

Marriott added that it “has not completed classifying duplicate information in the database”, but trusts it contains information of up to approximately 500 million guests who made a booking at a Marriott International property.

The statement went on to say: “For roughly 327 million of these guests, the information contains some blend of name, reservation date, arrival and departure information, gender, date of birth, Starwood Preferred Guest (“SPG”) account information, passport number, email address, phone number, mailing address, and communication preferences.”

The variety of data possibly affected in the 327 million exposed records included name, postal address, telephone number, birthday, sex, electronic mail contact details and passport number of hotel guests, while an undisclosed number of records had encrypted credit card details.

The firm said that it got and decrypted the database on November 19 and “concluded that the contents were from the Starwood guest reservation database.”

There are likely to be GDPR implications should it appear that any of the customer details belong to European Union inhabitants. The possibility of this is extreme considering the international scope of the group. If this is the case then the group would be subject to the highest possible GDPR fine of up to 4% of yearly international income or €20m, whichever figure is higher.

It is still unclear what the group has taken so long to get in touch with those affected to make them conscious of the breach. GDPR law, which became enforceable on May 25 this year, dictates that the breach must have been informed to the local data safety authority within 72 hours of it being exposed. It remains unknown if Marriott International fulfilled this responsibility. Notification electronic mails were first sent out by the group to impacted customers on the Marriott International/Starwood guest reservation database on November 30.

As a protective measure, the firm is providing customers with free access to WebWatcher Enrollment Access. This is an Internet-based utility that checks online activity on web portals where private information is dispersed. It will transmit an alert to account holders in the event that doubtful activity involving personal information is found.