Marriott announce data breach of information for as many as 500 million people
The Marriott Hotel chain announced on Friday 30 November 2018 that information contained in its Starwood brands guest reservation database was compromised. Unauthorised access occurred in connection with reservations at Starwood properties on or before 10 September 2018, potentially dating back to 2014.
Marriott received an alert from a security tool on 8 September 2018 which indicated an outside force was attempting to access Starwood’s guest reservation database. The company consulted external security experts, who determined hackers had accessed the database for up to four years. The hackers during this time apparently copied and encrypted guest information and “took steps towards removing it”.
A firm statement was issued as follows:
“It contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).”
Marriott has mentioned it is still investigating the breach by working with law enforcement and “has begun notifying” regulatory authorities about the incident. This may well include the UK’s Information Commissioner’s Office as well as data commissioners from other EU states.
The GDPR requires firms to report within 72 hours a data breach involving information about EU citizens. It is unclear at present precisely when Marriott began alerting regulators about this incident and also what percentage of the breached data is that of EU citizens.
Marriott now potentially face a fine under GDPR which could be upto 4% of their global revenue or 20 million Euros (whichever is higher).