Marriott International, the hotel giant which is awaiting its fate over a proposed £99m fine from the Information Commissioner’s Office over a 2018 incident, has been forced to admit it has been hit by a second breach, compromising the personal information of up to 5.2 million customers.
The incident began in mid-January but was not discovered until the end of February. It has exposed names, addresses, birth dates, gender, email addresses and telephone numbers of millions of guests. Employer name, gender, room stay preferences and loyalty account numbers have also been compromised.
The information is believed to have been accessed by an unknown third party, using the login credentials of two employees at a group hotel operated as a franchise. Marriott does not believe passports, payment details or passwords have been exposed.
The company said that it has notified relevant authorities and has begun notifying those whose data was exposed in the breach. It has also set up a dedicated website to help those impacted.
In a statement it said: “Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.
“The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.”
Both Marriott and British Airways were served notice of the record fines – totalling £282m – for breaches of GDPR within days of each other back in July last year.
Marriott’s proposed £99.2m penalty related to a cyber incident that Marriott self-reported in November 2018, which exposed about 339 million guest records globally, of 7 million relate to UK customers. Meanwhile BA was given notice of a £183.39m penalty for a 2018 data breach, which saw the personal data of hundreds of thousands of customers compromised.
However, neither fine has been levied yet. Both companies struck an 11th-hour agreement to extend the “regulatory process” for another three months back in January; that period is due to expire next week.
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott
Marriott sets aside £104m just in case GDPR plea fails
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown