fbpx

Marriott Data Breach

THIS ACTION IS NOW CLOSED

In 2018, a huge data breach involving 339 million Marriott International customers. This page explains more about how the Marriott data breach happened. 

What happened in the Marriott data breach ?

Marriott International Group admitted that around 339 million customers had their personal data put at risk. This made the Marriott data hack one of the most serious data breaches of its kind.

In response, the Information Commissioner’s Office (ICO) announced that it planned to fine the US hotel group £99.2 million.  This fine was later reduced to £18.4 million. 

The 2018 Marriott data hack affected customers who made reservations at the following hotels and timeshare properties:

While the Marriott data breach was discovered in 2018, it could affect customers who made a booking at any of these hotels as far back as 2014.

Marriott Data Breach (2020)

On Tuesday 31st March, Marriott announced that it was notifying some guests of a security incident involving an unspecified system at a franchise hotel. On this occasion, Marriott believed that up to 5.2 million guests may have been affected.

In a statement, the hotel chain said:

“At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.

“Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers”.

The following information may have been compromised in the hack. Although Marriott states that not all of this information was present for every guest involved:

The ICO's Investigation

The Information Commissioner’s Office (ICO) investigated the 2018 data breach. The ICO is the independent authority charged with upholding data protection rights in the UK.

The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

In response, the Information Commissioner’s Office (ICO) announced that it planned to fine the US hotel group Marriott International £99.2m. This fine was appealed and later reduced to 18.4 million.

The financial impact of the pandemic was taken into consideration, alongside other factors. The ICO also acknowledged that Marriott acted promptly to mitigate the risk of damage and inform those affected.

This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR. While the ICO has the power to impose data breach fines, it does not give this money to victims of the data breach.

ico website

Marriott data breach timeline

  • 2014 – 10th September 2018
    Cybercriminals were able to repeatedly access, encrypt, and download mass amounts of customer data from the Starwood reservation system
  • September 2016
    Marriott purchased Starwood. However, rather than migrate to Marriott's own reservation system, the business continued to use IT infrastructure inherited from Starwood
  • 19th November 2018
    An internal investigation found that there had been unauthorised access to a database. This contained guest information relating to reservations at various Starwood properties. The investigation also revealed that 500 million guest records had been involved. Many of the records included extremely sensitive information such as credit card and passport numbers
  • 30th November 2018
    Marriott announced the Starwood guest reservation Database security incident. Marriott also began sending emails to all affected guests
  • December 2018
    The media reported that state-sponsored Chinese hackers were possibly behind the attack.
  • 9th July 2019
    Following an investigation into the breach, the ICO announced its intention to fine Marriott International, Inc more than £99 million under GDPR for data breach. Marriott appealed the fine. In response, the ICO said that it would consider carefully the representations made by the company and the other concerned data protection authorities before making a final decision
  • January 2020
    In a further data breach, guest information was accessed using the login credentials of two employees at a franchise property
  • February 2020
    Marriott discovered this second data breach.
  • 31st March 2020
    Marriott announced that it was notifying some guests of the security incident at the franchise hotel.
  • 30 October 2020
    The Information Commissioner's Office (ICO) fines hotel giant Marriott International £18.4 million for the 2018 data breach.

Your questions answered

See our answers to the FAQs we get asked about the Marriott Data Breach.

What happened in the 2018 Marriott data breach?

Marriott International suffered a cyber-attack in 2014 affecting millions of its guests. The incident was not discovered until four years later.

Marriott International Group admitted that around 339 million customers had their personal data put at risk. This made the Marriott data hack one of the most serious data breaches of its kind.

The vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016. Between 2014 and 10th September 2018, cybercriminals were able to repeatedly access, encrypt, and download mass amounts of customer data from the Starwood reservation system. Marriott purchased Starwood in September 2016. However, rather than migrate to Marriott’s own reservation system, the business continued to use IT infrastructure inherited from Starwood. In November 2018, an internal investigation by the hotel group found that there had been unauthorised access to a database. This contained guest information relating to reservations at various Starwood properties. The investigation also revealed that millions of guest records had been involved. Many of the records included extremely sensitive information such as credit card and passport numbers.

What data was accessed?

The stolen data included information such as passport numbers, emails, dates of birth, gender and mailing addresses, and in some cases reservation dates. Marriott also said that it was not able to rule out whether credit card information was exposed.

How do I know if my details were involved in these breaches?

Customers who have been affected should have been told already.