Marriott Hotels, which is currently awaiting a decision about a proposed £99m fine from the Information Commissioner’s Office over a 2018 incident, has how had to admit it has been hit by another breach, this time compromising the personal information of up to 5.2 million customers.
This incident began in mid-January it was however, not discovered until the end of February. It has it seems exposed names, addresses, birth dates, gender, email addresses and telephone numbers of millions of guests. Employer name, gender, room stay preferences and loyalty account numbers have also been compromised.
The information is believed to have been accessed by an unknown 3rd party, using the login credentials of two employees at a group hotel operated as a franchise. Marriott does not think that passports, payment details or passwords have been exposed.
The company said that it has informed relevant authorities and has begun notifying those whose data was exposed. It has also set up a dedicated website to help those who have been affected.
In a statement it said: “Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.
“The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.”
Both Marriott and British Airways were served notice of the record fines – totalling £282m – for breaches of GDPR within days of each other back in July last year.
Marriott’s proposed £99.2m penalty related to a cyber incident that Marriott self-reported in November 2018, which exposed about 339 million guest records globally, of 7 million relate to UK customers. BA was given notice of a £183.39m penalty for a 2018 data breach, which saw the personal data of hundreds of thousands of customers breached.
However, neither fine has been paid yet. Both companies made a last minute deal to extend the “regulatory process” for another three months in January; this is now due to expire next week.
Only time will tell the outcome.