It has recently been reported that hackers stole the personal data of as many as 500 million guests who had made reservations using Marriott’s Starwood booking system.
The personal data which has been the subject of the breach includes guest’s names, mailing address, phone number, email address, passport number, account details, date of birth, gender and arrival and departure information. Worryingly, an internal investigation revealed that hackers had been able to access the personal data of guests since 2014.
Marriott has informed the Information Commissioner’s Office (ICO) of the breach, in accordance with their reporting obligations under the General Data Protection Regulation (GDPR). Importantly, the GDPR imposes strict obligations, not just in terms of the safeguarding of personal data, but also in connection with the disclosure of breaches. It should be noted though, that Marriott’s efforts in disclosing the breach and notifying customers can go some way to mitigate any liability.
Following its acquisition of Starwood in 2016, Marriott is the largest hotel group in the world. With this being one of the largest breaches identified, it is likely that the ICO will be carefully considering the culpability of Marriott and the potential for a significant fine.
In the US, a class action has been filed against Marriott for an alleged failure ‘to ensure the integrity of its servers and to properly safeguard consumers’ highly sensitive and confidential information’. Marriott have attracted additional scrutiny based on suggestions that the vulnerability could have been detected as early as 2015. If accurate, the ICO is unlikely to look kindly on the safeguarding measures that this huge company holding vast quantities of personal data had in place.
If you would like to discuss how BakerLaw can assist your business with its data protection obligations, please feel free to contact us on 01252 730770 or email firstname.lastname@example.org.
This article is not a definitive statement of the law. It is designed as a free update on the law at the time of publishing. It is not a substitute for legal advice on specific facts and circumstances. BakerLaw LLP and/or the writer accepts no liability or responsibility for reliance on this article and recommends that you seek independent legal advice on your specific circumstances prior to taking any steps.