Marriott May Face GDPR Fine of More Than £17m

Date: December 2018

Location: Global

What: Marriott was hacked whereby the data of approximately 500 million guests has been compromised.

Although Marriott is based in the US, some guests were citizens of the European Union, so the breach falls under European Union General Data Protection Regulation.

It is estimated that it could face a fine of up to €20 million (£17.8 million) or 4% of its annual turnover. Marriott’s turnover in 2017 was $22.9 billion (£20.4 billion).

It is also understood that two American law firms have filed a class action lawsuit against the US-based hotel chain.

Meanwhile, US senator Charles Schumer has called on the hotel group to reimburse those affected to allow them to purchase new passports.

On September 8, Marriott was alerted to an attempt to access the Starwood guest reservation database and discovered there has been unauthorised access to the database since 2014. Marriott acquired Starwood in 2016.

For approximately 327 million guests, the information included some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Because of the covert nature of the hack, neither Marriott nor Starwood were aware of the hackers’ presence until this past September.

XM Cyber’s Principal Security Architect Rich Gardner finds troubling is that the stolen information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

“What this means is that the person or people that hacked into this system must have been there for quite some time in order to find the two keys to decrypt the credit card information,” he said. “Or, the credit processing system or the application that stored the credit card information was poorly designed.”

Marriott, the largest hotel company in the world with more than 6,700 properties in its system following its 2016 acquisition of Starwood for $13.6 billion, will be notifying customers whose records were located in its database. To facilitate this process, Marriott has established a dedicated website and call center to work with guests who have questions about the status of their personal information.

“We deeply regret this incident,” stated the mega-chain’s President and CEO Arne Sorenson. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

For any organisation that deals in consumer data, breaches have become a fact of life. Last month, Radisson Hotel Group announced its Radisson chain was impacted by a data breach. In Radisson’s case, hackers were not able to access credit card or password information, but were able to obtain member names, addresses, email addresses, company names, phone numbers, Radisson Rewards member numbers and frequent-flyer numbers.

On top of this, Orbitz revealed hackers accessed the information of nearly 900,000 guests in March.

What differentiates breaches such as Marriott’s and Radisson’s from previous hacks at IHG or Hyatt Hotels Corporation is the passage of the European General Data Protection Regulation, which went into effect this past May. GDPR maintains any breach must be reported within 72 hours of discovery, and could lead to fines of up to 10 million euros, or 4 percent of a company’s annual global revenue, if security deficiencies are found by investigators.

Sam Curry, chief security officer for cyber security firm Cybereason, said 2018 has been “the year of the breach,” with hundreds of major brand names falling victim to data thieves. These include T-Mobile, British Airways, Air Canada and now Marriott.

Ian Eyberg, CEO of security firm NanoVMs, told Hotel Management he anticipates Marriott will be facing heavy fines due to its strong European presence and the application of GDPR. He clarified the three-month lag between Marriott’s discovery of the hack and its announcement to the general public is routine, particularly because it’s difficult to ascertain how long a hacker has been able to access a system and the need to prepare for damage control.

However, Eyberg also said unless serious changes are made to the security infrastructure used by most businesses, issues with data security are likely to increase in the near future. This is partly due to archaic systems propping up many companies’ networks on the back end, but that is only one piece of the puzzle.

“Companies are just stockpiling data and that is very, very valuable to hackers,” Eyberg said. “When integrating with various service providers in the future, drill into this question of security: Is standard protection going to cut it? No. Do we have to go to our developers and see if there are better solutions? Maybe. The problem is not going away, it’s arguably getting worse.”

According to Chargeback Gurus CEO Srii Srinivasan, the cost of a data breach can continue on for months as fraudsters and unscrupulous customers can take advantage of Marriott’s weakened position and victimize them with fraudulent chargebacks.

“We have seen when there are data breaches of this kind, fraudulent payment chargebacks spike by up to 5 percent,” Srinivasan said. “This could tack on, in the case of a company like Marriott, many millions of dollars to the cost of recovering from the hack. While dealing with a data breach, companies and their banks will often side with the customers and write off the chargeback claims as a cost of doing business, but this is an unnecessary loss they may be accepting.”

THPT Comment: Our sympathies go out to Marriott management…the irony is that with the mega takeovers merging Loyalty Programs is a top priority

Soon after the acquisition, Marriott began merging the Starwood Preferred Guest program with its own Marriott Rewards program. The company then turned its attention to merging the reservation systems. It was while working with the Starwood system that IT staff discovered the activities of the hacker. Marriott apparently had installed a new security monitoring tool on the Starwood network that alerted them to an unauthorised attempt to access the Starwood database.

First Seen: Hotel Online

The Hotel Property Team (THPT) are a small group of highly experienced business professionals. Between us, we provide a range of skills and experience which is directly relevant to those involved in the hotel property market.

For more information – Visit or email