In 2018, a huge data breach involving 339 million Marriott International customers. This page explains more about how the Marriott data breach happened.
Marriott International Group admitted that around 339 million customers had their personal data put at risk. This made the Marriott data hack one of the most serious data breaches of its kind.
In response, the Information Commissioner’s Office (ICO) announced that it planned to fine the US hotel group £99.2 million. This fine was later reduced to £18.4 million.
The 2018 Marriott data hack affected customers who made reservations at the following hotels and timeshare properties:
While the Marriott data breach was discovered in 2018, it could affect customers who made a booking at any of these hotels as far back as 2014.
On Tuesday 31st March, Marriott announced that it was notifying some guests of a security incident involving an unspecified system at a franchise hotel. On this occasion, Marriott believed that up to 5.2 million guests may have been affected.
In a statement, the hotel chain said:
“At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.
“Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers”.
The following information may have been compromised in the hack. Although Marriott states that not all of this information was present for every guest involved:
The Information Commissioner’s Office (ICO) investigated the 2018 data breach. The ICO is the independent authority charged with upholding data protection rights in the UK.
The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
In response, the Information Commissioner’s Office (ICO) announced that it planned to fine the US hotel group Marriott International £99.2m. This fine was appealed and later reduced to 18.4 million.
The financial impact of the pandemic was taken into consideration, alongside other factors. The ICO also acknowledged that Marriott acted promptly to mitigate the risk of damage and inform those affected.
This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR. While the ICO has the power to impose data breach fines, it does not give this money to victims of the data breach.
See our answers to the FAQs we get asked about the Marriott Data Breach.
Marriott International suffered a cyber-attack in 2014 affecting millions of its guests. The incident was not discovered until four years later.
Marriott International Group admitted that around 339 million customers had their personal data put at risk. This made the Marriott data hack one of the most serious data breaches of its kind.
The vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016. Between 2014 and 10th September 2018, cybercriminals were able to repeatedly access, encrypt, and download mass amounts of customer data from the Starwood reservation system. Marriott purchased Starwood in September 2016. However, rather than migrate to Marriott’s own reservation system, the business continued to use IT infrastructure inherited from Starwood. In November 2018, an internal investigation by the hotel group found that there had been unauthorised access to a database. This contained guest information relating to reservations at various Starwood properties. The investigation also revealed that millions of guest records had been involved. Many of the records included extremely sensitive information such as credit card and passport numbers.
The stolen data included information such as passport numbers, emails, dates of birth, gender and mailing addresses, and in some cases reservation dates. Marriott also said that it was not able to rule out whether credit card information was exposed.
Customers who have been affected should have been told already.
KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.
