The story about Marriott International is a story about a lesson not learned. In the midst of their appeal against the £99 million GDPR fine (or around $124 million), Marriott suffered another data breach, this time affecting 5.2 million individuals.
This is the second major data breach to hit this American hotel group in the past two years.
2020 Marriott Breach
On March 31, 2020, Marriott issued an incident notification declaring that contact details, such as names, mailing addresses, loyalty account numbers and other personal information of an estimated 5.2 million guests may have been exposed in a data breach.
In their official statement, they noted that the issue involved an application that hotels under Marriott’s brands use to help provide services to guests at hotels.
At the end of February 2020, they identified that guest information might have been accessed using the login credentials of two employees at a franchise property. It is believed that the activity started in mid-January 2020.
The data affected in the breach
The data exposed included contact details (name, mailing address, email address, and phone number), loyalty account information (account number and points balance, but not passwords), additional personal details (company, gender, and birthday day and month), partnerships and affiliations (linked airline loyalty programs and numbers) and guests preferences.
However, Marriott stated that passport numbers, payment card information, driver’s license information, or identification numbers were NOT among the personal data accessed by the hackers.
However, investigation on their side is still ongoing, so further information may be disclosed in the future.
2014 Starwood hotels breach
In order to fully understand the seriousness of the situation, it is important to go back to 2014 when hackers gained unauthorized access to Starwoods’ network.
In 2016 when Marriott acquired the Starwood hotels group, and what was supposed to be a lucrative investment for Marriott, turned into a steep GDPR fine and a true nightmare.
Marriott exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. During their acquisition, Marriott failed to detect a lack of appropriate security measures, which allowed hackers to access and copy their database.
In late 2018, the American hotel giant disclosed a data breach that impacted approximately 339 million guest records globally. According to the ICO statement, out of those 339 million individuals, 30 million were residents of the EEA.
This gave the green light to the UK’s data protection authority, to issue the intent to fine Marriott International under the GDPR for the mentioned data breach.
The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities, since GDPR protects the data of its citizens and residents, even if the data is transferred outside the EU zone.
However, the fine is not made final yet. Marriot has expressed their intention to appeal and recently the fine has been deferred pending the completion of further investigations.
The latest extensions appear to have been granted to give the ICO more time to conduct further investigations, consider the companies’ representations regarding the fines, and seek the views of other EU data protection regulations authorities.
A current situation with the Coronavirus outbreak is most likely adding to the reasons why the decision about the fine has been postponed.
Conclusion
It is now evident that Marriott suffered irreparable reputation damages. If the first data breach did not do the job, the second one surely sealed the deal.
The GDPR fine issued to the hotel chain in 2018 implied serious shortcomings in their security systems, and it is obvious they still pose a real threat to the personal information of their guests.
It is yet to be seen how this incident will unravel and if the data protection authority will now be even more encouraged to go through with the initial fine for a 2018 data breach.
If you want to know more about GDPR fines check out our blog