Exposed user data from Marriott hotel company

Marriott, one of the largest hotel chains on the planet, issued a statement on November 30, 2018 confirming that it had detected unauthorized access to its customer database on November 19, 2018, with information on about 500 million people.

As explained in the statement, the accessed database contains information related to reservations at Starwood properties made up to 10 September 2018. The investigation indicates that, for 327 million of those clients, information relating to passport and bank account numbers, dates and places of birth of clients and their contact details, among others, would have been disclosed.

Marriott has set up a customer service centre, notified those affected by the incident by e-mail and offered the possibility of a free network security service for one year. In addition, it recommends changing all passwords that may have been discovered and keeping an eye out for any updates on what has happened.

[Update 11/12/2018] Connie Kim, Marriott spokeswoman, said they have established a process to determine whether their customers have been victims of the fraud and, if so, the company will reimburse the amount associated with obtaining a new passport.

[Update 04/03/2019] The massive data breach incurred by Marriott in November 2018 has cost the world’s biggest hotel chain only a scant $3 million so far, after the company’s insurer covered most of the costs associated with the hack.

[Update 10/07/2019] Marriott announced that the UK Information Commissioner’s Office (ICO) has communicated its intent to issue a fine in the amount of £99,200,396 against the company in relation with this incident. Marriott has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and defend its position.

[Update 09/11/2020] The ICO imposes a fine on Marriott International Inc of 18.4 million pounds for not keeping the personal data of its customers safe. The investigation concludes that Marriott did not implement the appropriate technical or organizational measures to protect personal data, as required by the General Data Protection Regulation (GDPR).