The private personal data of approximately 500 million people has been obtained in a hacking attack on Marriott International according to a a statement filed with US regulators by the hotel chain last Friday, December 1. This will, most likely, have General Data Protection Regulation implications in the European Union.
The data privacy breach was initially discovered on Marriott International databases around September 10 on its ‘guests’ database. It is believed that this breach could impact records going back as far as 2014. Marriott International is the parent company of a group of hotel chains including Westin, Le Méridien and Sheraton.
A public release from Marriott International said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott added that it “has not finished identifying duplicate information in the database” but believes it includes information of up to roughly 500 million guests who made a reservation at a Marriott International property.
The statement went on to say: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
The range of data possibly affected in the 327 million exposed records included names, postal address, phone number, birthdays, gender, email contact details and passport number of hotel guests, while an undisclosed number of records contained encrypted credit card details.
The company said that it obtained and decrypted the database on November 19 and “determined that the contents were from the Starwood guest reservation database.”
There are likely be GDPR implications should it emerge that any of the customer details belong to EU citizens. The likelihood of this is extreme considering the global scalee of the group. If this is the case then the group would be subject to a highest possible GDPR fine of up to 4% of annual global revenue or €20m, whichever figure is higher.
It is still unclear why the group has taken so long to contact those affected to make them aware of the breach. GDPR legislation, which became enforceable on May 25 this year, dictates that the breach should have been reported to the local data protection authority within 72 hours of it being discovered. It remains unknown if Marriott International fulfilled this obligation. Notification emails were first sent out by the group to impacted clients on the Marriott International/Starwood guest reservation database on November 30.
As a precautionary measure the company is providing clients with free access to WebWatcher Enrollment Access. This is an Internet-based utility that monitors online activity on web portals where personal information is distributed. It will transmit an an alert to account holders in the event that suspicious activity involving personal information is discovered.