Marriott Faces $123 Million GDPR Fine Over Starwood Data Breach

By: Wang Wei

After fining British Airways with a record fine of £183 million earlier this week, the UK’s data privacy regulator is now planning to slap world’s biggest hotel chain Marriott International with a £99 million ($123 million) fine under GDPR over 2014 data breach.

This is the second major penalty notice in the last two days that hit companies for failing to protect its customers’ personal and financial information compromised and implement adequate security measures.

In November 2018, Marriott discovered that unknown hackers compromised their guest reservation database through its Starwood hotels subsidiary and walked away with personal details of approximately 339 million guests.

The compromised database leaked guests’ names, mailing addresses, phone numbers, email addresses, dates of birth, gender, arrival and departure information, reservation date, and communication preferences.

The breach, which likely happened in 2014, also exposed unencrypted passport numbers for at least 5 million users and credit card records of eight million customers.

According to the Information Commissioner’s Office (ICO), nearly 30 million residents of 31 countries in the European and 7 million UK residents were impacted by the Marriott data breach.

The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Last year, the General Data Protection Regulation (GDPR) was introduced in Europe that forces companies to make sure the way they collect, process, and store data are safe.


Marriott Mega-Breach: Victim Count Drops to 383 Million

By: Mathew J. Schwartz

Hotel Giant Warns 5.3 Million Unencrypted Passport Numbers Also Stolen

Marriott International says its recently discovered mega-breach isn’t quite as bad as first advertised, in terms of the total number of victims. But it also warns that hackers stole 5.25 million unencrypted passport numbers that its hotels were storing as well as 8.6 million encrypted payment cards.

On Nov. 30, 2018, Marriott said it had suffered a breach that began in 2014 with a breach of the reservation database used by Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016 for $13 billion

Marriott originally estimated that the breach exposed information for 500 million customers. It also said that for 327 million customers, exposed information included their “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.”

But on Friday, Marriott said that instead of its estimate of 500 million customers having had some form of personal information exposed, it now believes that 383 million is the “upper limit” of affected customers.

“We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” it says in its revised data breach notification.

Marriott, which is publicly traded on NASDAQ and based in Bethesda, Maryland, owns or franchises more than 6,700 properties across 30 hotel brands located in 129 countries and territories.

Unencrypted Passport Data Stolen

Marriott also says that its breach investigation now counts 25.6 million passport numbers being exposed in the breach, of which 5.25 million were unencrypted. “There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” Marriott says. But that doesn’t mean that the attackers couldn’t later brute-force decrypt the numbers.