Skip to main content

Marriott Hotels fined 18.4M

The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests.

The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests.

In January 2020, the attackers gained access to 5.2 million records of Marriott guests. These records included passport data, contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.

The cyber-criminals had been in the systems for years, and were effectively thrown into the merger deal without Marriott having a clue. The first part of the cyber-attack happened in 2014, affecting the Starwood Hotels group, which was acquired by Marriott two years later. But until 2018, when the problem was first noticed, the attacker continued to have access to all affected systems, including:

  • contact details (e.g., name, mailing address, email address, and phone number)
  • loyalty account information (e.g., account number and points balance, but not passwords)
  • additional personal details (e.g., company, gender, and birthday day and month)
  • partnerships and affiliations (e.g., linked airline loyalty programs and numbers)
  • preferences (e.g., stay/room preferences and language preference)

What happened?

In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included passport data, contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.

What were the consequences?

This major data breach presumably affected almost 339 million hotel guests. Marriott Hotels & Resorts paid an £18.4M fine as the company had failed to comply with General Data Protection Regulation (GDPR) requirements.

This wasn’t the first data breach investigation for the company: Marriott fought a £99 million (approximately $124 million) GDPR fine for a 2018 data breach.

Why did it happen?

Attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. Marriott’s cybersecurity systems didn’t notice the suspicious activity of these employees’ profiles for two months. With third-party vendor monitoring and user and entity behavior analytics, Marriott could have detected the breach before hackers accessed clients’ data.

Sources :

https://news.marriott.com/news/2020/03/31/marriott-international-notifies-guests-of-property-system-incident

https://www.bbc.com/news/technology-54748843