(United Kingdom) Marriott has announced a data breach impacting its customers, which started in January 2020 and was discovered by the company in February. Compliance Week reports as follows:
Marriott International says a breach may have compromised the personal data of 5.2 million customers, the second significant data breach for the hotel chain in less than two years.
A significant penalty under the EU’s General Data Protection Regulation (GDPR) after the first breach in November 2018 still hangs over Marriott in the United Kingdom. The company said in a press release Tuesday that it has begun sending emails about the latest incident to potentially affected customers.
The new breach, which Marriott said it discovered in February, compromised customers’ contact and personal details, loyalty account information, partnerships and affiliations, and room preferences. The company said it does not believe any personal financial information—like credit card numbers—or personal identification, including passports, national IDs, and driver’s licenses, were compromised in the breach.
The breach began in January 2020, Marriott said. A month later, the company noticed “an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.” The login was disabled, and the company notified federal authorities and began its own investigation into the breach. Marriott did not say who used the login credentials to gain access to the company’s database.
Marriott said it “notified relevant authorities and is supporting their investigations.” The hotel chain has set up a dedicated Website and call center resources with additional information for guests
“The company does not currently believe that its total costs related to this incident will be significant,” the release said.
Verbatim text of Marriott press release:
Marriott International announced that it is notifying some of its guests today of an incident involving a property system. The notice explains what occurred, the information involved, the measures taken by Marriott to investigate and address the issue, how Marriott is assisting guests, and steps guests can consider taking.
Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.
Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.
At this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved:
contact details (e.g., name, mailing address, email address, and phone number)
loyalty account information (e.g., account number and points balance, but not passwords)
additional personal details (e.g., company, gender, and birthday day and month)
partnerships and affiliations (e.g., linked airline loyalty programs and numbers)
preferences (e.g., stay/room preferences and language preference)
Today, Marriott is sending emails to guests involved. Marriott has also set up a dedicated website (www.mysupport.marriott.com) and call center resources with additional information for guests. The call center resources can be reached by calling the numbers listed on the dedicated website. The email sent to guests and the website also contain a list of steps guests involved can consider taking and information about enrolling in a personal information monitoring service that Marriott is providing.
Marriott carries insurance, including cyber insurance, commensurate with its size and the nature of its operations, and the company is working with its insurers to assess coverage. The company does not currently believe that its total costs related to this incident will be significant.
(Privacy press clipping sourced via Compliance Week)
Jurisdiction: United Kingdom
This data breach is relatively small, affecting some 5.2 million individuals, compared with the 339 million records involved in Marriott’s earlier breach. There is a notice of intention pending for the earlier breach, under which the UK’s ICO has said it wants to fine Marriott almost 100 million British pounds.
It is not known whether regulators will take action on the breach. Marriott has said it does not believe its costs arising out of the incident will be “significant”, which could mean that it does not expect hefty fines. Prompt notification to authorities is usually considered a mitigating circumstance putting downward pressure on any fine imposed.
If UK citizens are residents are impacted, the UK’s ICO may be one authority choosing to take action. The ICO has previously taken action against Marriott in the past and is typically fairly aggressive in fining large corporations for avoidable security breaches. Going by the 2019 fine, a fine for this case could be (approximately) GBP 1.5 million. No two cases are alike, of course, so any simple estimate must be taken with a grain of salt.