The second biggest corporate data breach in history has just been revealed. Placed right between Yahoo’s data breach, which affected 3 billion accounts in 2017 and the Adult FriendFinder hack, which led to 412 million accounts being compromised, the Marriott hack is the latest high-profile data privacy mishap.
On the 30th of November, Marriott announced a security incident involving the Starwood Guest reservation database. According to the well-known hospitality company, the personal information of around 327 million guests was compromised. The exposed information contained names, email addresses, phone numbers, dates of birth, passport numbers and arrival and departure dates. In addition to this, Marriott has issued a warning stating that it is not sure whether attackers were able to decrypt credit card information as well.
Arne Sorenson, Marriott’s President and Chief Executive Officer said:
We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.
Could the Marriott hack be the first big GDPR fine?
Despite being US-based, the Marriott hack most probably affected personal data belonging to citizens of the European Union. This means that this breach falls under the GDPR, which could potentially translate into a fine of up to €20 million, or 4% of the company’s turnover.
The ICO is the first national data protection authority to react to this, stating that:
We have received a data breach report from Marriott Hotels involving its Starwood Hotels and are making enquiries.
We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online.