A Major Hotel Chain Reports a Data Breach Affecting Over 5 Million Customers

On March 31, 2020, hotel chain Marriott International disclosed that it suffered a second major data breach in the last two years.  According to the notice posted on its website, at the end of February of 2020, the company discovered that an unexpected amount of guest information was accessed from one of its applications using the login credentials of two employees at a franchise property.

At this point, the company believes that personal information of approximately 5.2 million guests might have been hacked, including guest contact details (such as name, mailing address, email address and phone number), guest personal details (such as company, gender, and birthday day and month), loyalty account information, partnerships and affiliations, and certain guest preferences.  The company believes that the unauthorized access began sometime in mid-January 2020.

This is a second major breach disclosed by Marriott in the last two years.  In November 2018, Marriott disclosed that personal data contained in approximately 339 million guest records globally were exposed as a result of a breach into the Starwood hotels system in 2014.  Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until two years later. The investigation by the Great Britain’s data protection authority ICO revealed that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.  As a result, in July of 2019, the ICO announced its intention to fine Marriott $123 million for violations of the GDPR.   The final penalty notice has not yet been published and the company is likely to appeal any final decision by the ICO.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653