Marriott Starwood data breach: hotel giant fined almost £100m for breaking privacy laws

Hotel giant Marriott International has been fined almost £100m over a major cyberattack in which hacker accessed credit card details, passport numbers and other personal data belonging to a total of 339 million guests.

The UK Information Commissioner’s Office (ICO) has ordered the US hotel group to pay out £99.2m for breaking the European Union’s General Data Protection Regulation (GDPR), a set of strict laws designed to protect private user information.

The breach is thought to date back to up to five years ago but was only discovered in 2018, and made public in November, the BBC reports.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Information Commissioner Elizabeth Denham said the GDPR rules “makes it clear that organisations must be accountable for the personal data they hold”.

“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected”, she said.

Marriott International intends to appeal the decision.

“Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” said company chief Arne Sorenson.

The hotel chain isn’t the first major firm to be stung by the EU’s data privacy laws.

The Marriott fine comes days after the ICO confirmed plans to fine British Airways £183m over a hack involving personal data of half a million of the airline’s customers.

What happened?

On 30 November, Marriott International announced that customer records had been compromised in what may be one of the largest data breaches in history. Initial estimates put the number of customers affected at up to 500 million, though the number has since fallen by about 100 million.

The company revealed that hackers accessed the guest reservation database of Starwood - a rival hotel group that Marriott acquired three years ago - as early as 2014, the BBC reports.

Marriott claims it received an alert from an “internal security tool” on 8 September that warned of an attempt by an “unauthorised party” to access the Starwood database in the US, says The Guardian.

That discovery prompted further investigation that uncovered the long-term unauthorised access across the network, which has since been phased out.

The hacker copied and secured the data with encryption, making it more difficult for authorities to determine the contents. The hotel chain said its investigators were finally able to decrypt the information on 19 November.

Who was behind the attack?

A month after the attack was revealed, sources briefed on the investigation accused China’s Ministry of State Security, a “communist-controlled civilian spy agency”, of orchestrating the hack as part of an intelligence-gathering effort, The New York Times reports.

The newspaper says that spies allegedly “hacked health insurers and the security clearance files of millions more Americans” before accessing the personal customer records of the Marriott-owned hotel group.

Private investigators discovered hacking tools, techniques and procedures previously used in cyberattacks linked to Chinese agencies, three company insiders told Reuters.

However, while China is the “lead suspect” in the case, sources warned that it was possible someone else was behind the hack, because other parties had access to the same hacking tools, the news site reports.

Are you affected?

Given the sheer amount of customer data hacked, there is a high possibility that anyone who has stayed at a Starwood hotel in recent years may be affected by the breach.

Starwood’s UK properties include the Sheraton Grand Park Lane and Le Meridien Piccadilly in London, and the Sheraton Grand in Edinburgh, The Guardian reports.

The Marriott group lists the categories of data exposed in the leak as:

• Names
• Mailing address
• Phone number
• Email address
• Passport number
• Starwood Preferred Guest account information
• Date of birth
• Gender
• Arrival and departure information
• Reservation date
• Communication preferences

A “combination” of customer data was leaked in most cases, according to the company.

The credit card details of an “unspecified” number of people were also stolen, adds Business Insider. Marriott says these files were secured with encryption but that it is possible the hackers also took the information necessary to decrypt them.