Tag: Marriott
9. November 2020
The Information Commissioner’s Office (ICO) fines Marriott International Inc. (Marriott) £18.400.00 (€20.397.504).
The fine refers to a data breach which occurred in 2018. Back then the world’s largest hotel company based in the USA suffered a massive data breach affecting up to 383 million customers. For Marriott it is still not possible to state the exact number of people affected.
The ICO considers it proven that Marriott failed keeping customers’ personal data secure. In context of the breach confidential data like name, address and contact data as well as unencrypted passport and credit card data has been unauthorized accessed.
In a previous statement in 2019 the ICO announced, that it intends to fine Marriott with a fine of £99.200.396 (€109.969.591) this fine has now been reduced.
The reduction is based on the following reasons: the ICO considered the presentations from Marriott as well as the taken steps by Marriott as well as the consequences of the COVID-19 pandemic.
In October, the fine previously issued by the ICO against British Airways was also reduced, again partly because of the consequences of the COVID-19 pandemic.
Since the data breach occurred before the UK left the EU, the ICO investigated on behalf of all European Data Protection Authorities as lead Supervisory Authority and the fine has been approved by all other Authorities.
7. January 2019
Marriott International Inc, the world’s largest hotel company, based in the USA, which was hit by a data breach in 2018, has announced new information regarding the breach in which unauthorized access to the Marriott subsidiary Starwood’s reservation database was made (we reported).
Contrary to initial statements, not 500 million records of hotel guests but only 383 million are affected. It should be noted that for a guest who has stayed several times in one of the hotels belonging to the Marriott Group, there is one record for each overnight stay. According to this, not 383 million people were affected, but fewer. However, the Marriott Group cannot give the exact number of people affected.
In addition to the corrected number of victims, Marriott announced that some confidential data such as passport and credit card numbers were unencrypted. About 5,25 million unencrypted and about 20,3 million encrypted passport numbers could be viewed by unauthorized persons. According to the company, the master key for decryption was not copied.
In addition, around 8,6 million encrypted credit card numbers were affected, of which only 345.000 were still valid. Here, too, the master key could not be captured. At the moment, it is still being investigated whether credit card numbers entered in the wrong fields and thus stored unencrypted are affected.
3. December 2018
Marriott International Inc., the world’s largest hotel company, was hit by a data breach affecting up to 500 million customers.
Marriott said it has found a data breach in the Starwood guest reservation database regarding the hotels ‘Westin’, ‘Sheraton’, ‘Le Méridien’, ‘St. Regis’ and ‘W Hotels’. The main brand Marriott does not belong to it. Marriot had bought its competitor Starwood in 2016 and thus obviously their security gap at the same time.
Up to 500 million customers may have been affected by the breach and, of those impacted, roughly two-thirds had their names, addresses, phone numbers, email addresses, passport numbers and duration of stay compromised. It is also possible that payment card information were caught in the breach.
An internal tool alerted a potential data breach on September 8th, 2018. An investigation subsequently initiated revealed that the guest database may have been compromised since 2014. At the moment Marriott could not rule out the possibility that the files needed for decryption had also been stolen. This would mean that the attackers could also use the stolen data to, for example, shop with them.
As a result, Starwood’s IT systems will be phased out.
Since Friday, those affected have also been informed and customer can find out more on the website.