Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Marriott security data breach- what really happened?

new marriot breach

The story about Marriott International is a story about a lesson not learned. In the midst of their appeal against the £99 million GDPR fine (or around $124 million), Marriott suffered another data breach, this time affecting 5.2 million individuals.

This is the second major data breach to hit this American hotel group in the past two years.

2020 Marriott Breach

On March 31, 2020, Marriott issued an incident notification declaring that contact details, such as names, mailing addresses, loyalty account numbers and other personal information of an estimated 5.2 million guests may have been exposed in a data breach.

In their official statement, they noted that the issue involved an application that hotels under Marriott’s brands use to help provide services to guests at hotels.

At the end of February 2020, they identified that guest information might have been accessed using the login credentials of two employees at a franchise property. It is believed that the activity started in mid-January 2020.

The data affected in the breach

The data exposed included contact details (name, mailing address, email address, and phone number), loyalty account information (account number and points balance, but not passwords), additional personal details (company, gender, and birthday day and month), partnerships and affiliations (linked airline loyalty programs and numbers) and guests preferences.

However, Marriott stated that passport numbers, payment card information, driver’s license information, or identification numbers were NOT among the personal data accessed by the hackers.

However, investigation on their side is still ongoing, so further information may be disclosed in the future.

2014 Starwood hotels breach

In order to fully understand the seriousness of the situation, it is important to go back to 2014 when hackers gained unauthorized access to Starwoods’ network.

In 2016 when Marriott acquired the Starwood hotels group, and what was supposed to be a lucrative investment for Marriott, turned into a steep GDPR fine and a true nightmare.

Marriott exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. During their acquisition, Marriott failed to detect a lack of appropriate security measures, which allowed hackers to access and copy their database.

In late 2018, the American hotel giant disclosed a data breach that impacted approximately 339 million guest records globally. According to the ICO statement, out of those 339 million individuals, 30 million were residents of the EEA.

This gave the green light to the UK’s data protection authority, to issue the intent to fine Marriott International under the GDPR for the mentioned data breach.

The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities, since GDPR protects the data of its citizens and residents, even if the data is transferred outside the EU zone.

However, the fine is not made final yet. Marriot has expressed their intention to appeal and recently the fine has been deferred pending the completion of further investigations.

The latest extensions appear to have been granted to give the ICO more time to conduct further investigations, consider the companies’ representations regarding the fines, and seek the views of other EU data protection regulations authorities.

A current situation with the Coronavirus outbreak is most likely adding to the reasons why the decision about the fine has been postponed.

Conclusion

It is now evident that Marriott suffered irreparable reputation damages. If the first data breach did not do the job, the second one surely sealed the deal.

The GDPR fine issued to the hotel chain in 2018 implied serious shortcomings in their security systems, and it is obvious they still pose a real threat to the personal information of their guests.

It is yet to be seen how this incident will unravel and if the data protection authority will now be even more encouraged to go through with the initial fine for a 2018 data breach.

If you want to know more about GDPR fines check out our blog 5 biggest GDPR fines so far [2020]

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top