In early September 2018, it was discovered that the hotel group, Marriott International, had suffered a huge data breach, affecting the records of 500 million of their customers. Marriott disclosed the hack on Friday 30th November 2018, prompting U.S. and UK regulators to quickly launch probes into the case. Investigations revealed that hackers had unauthorised access to their Starwood guest reservation database, as far back as 2014.
The information stolen included, names, addresses, phone numbers, email addresses, passport numbers, dates of birth and arrival and departure information. It is also believed that some records may have contained encrypted payment card information. Marriott have not yet ruled out the possibility that along with the encrypted data, the two components needed to decrypt it were also obtained, so are urging affected customers to check their bank accounts as soon as possible.
Marriott acquired Starwood in 2016 for $13.6 billion, including the Sheraton, Westin, W Hotels, St. Regis, Aloft, Le Meridien, Tribute, Four Points and Luxury Collection hotel brands, forming the world’s largest hotel operator.
Arne Sorenson, President and Chief Executive of Marriott International, said:
“We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott have released a website containing essential information concerning the hack, answers to guests’ questions and steps they can take following the incident: https://answers.kroll.com/
The General Data Protection Regulation (GDPR) has set penalties for mishandling consumer data as high as €20 million (approximately £17.5 million), or up to 4% of annual turnover, whichever is larger. For Marriott this means this data breach could trigger the first significant fine since it came into force, as well as the already impending lawsuit they’re now facing from disgruntled customers.
It’s expected that multiple class action lawsuits are going to be filed against Marriott, with a figure of around $12.5 billion in costs and losses to be distributed amongst the people affected by this colossal attack. Examples of recent pay outs include Uber who just agreed to pay $148 million to settle a class-action for its 2016 hack, and Yahoo who agreed to pay up to $85 million for a 2014 hack that exposed the personal details of 500 million users.
Ilia Kolochenko, Chief Executive of the web security company High-Tech Bridge, said:
“In the past two years many companies were over-concerned to comply with GDPR on paper, ignoring practical security requirements due to limited budget and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cybersecurity and privacy.”
When processing cardholder not present (CNP) payments either over the phone or on the web, it is vital to take into consideration where the customer’s sensitive card details are collected, processed and stored, even if the information is encrypted. Organisations need to constantly evaluate the scope of their corporate network when processing sensitive card details and ensure it is safe from the continuous attempts of hackers. De-scoping an organisation’s network under the PCI compliance guidelines is a best practice solution, removing customer card data from their internal systems completely, dramatically decreasing the possibilities of fraud.