Massive Data Breach By Marriot

Marriot International Inc was recently fined with £18.4 million by ICO (The Information Commissioner’s Office) for violating the GDPR (The General Data Protection) law.

Another giant company is failing to comply with the data protection law. Approximately 339 million guests worldwide were affected by a cyber attack which took place in 2014 on Starwood Hotels, acquired by Marriott in 2016. According to the ICO’s report, Marriot did not detect the attack when acquiring Starwood even after the GDPR was enforced, the attacker continuing to access personal data of the guests.

Following the ICO’s investigation, it was discovered that the number of those affected could not be clearly established as there is a possibility that there may be more than one record for a guest, so it could reach over 7 million records in the UK alone. A number that demonstrates Marriot’s negligence towards its customers.

The attacker installed a code known as ‘’web shell’’ through which he had authorized, unrestricted access to several devices. Moreover, he managed to get in possession of several login credentials and accessed the database storing reservation data and exported it.

Elizabeth Denham, Information Commissioner said: “When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The breach took place before the UK left EU, specifically on the 28th of May 2018, therefore the decision to sanction Marriot was taken by ICO and approved by all the other EU DPAs.

According to ICO, Marriot reacted as soon as it discovered the attack and contacted its customers and the supervisory authority. It has also taken the necessary measures to ensure greater security of the systems and tools used.


Need help?

Sovy’s GDPR Essentials can help you with each of the steps laid out above:

Walk through a data mapping exercise and build your data inventory.

Build all the policies you need under the GDPR, including a privacy policy, data protection policy, and data breach response forms.

Train your employees with industry-standard eLearning courses.

Track document access and history to ensure transparency in the event of an audit.

Manage your cookies and data rights (e.g. access, deletion, portability) with our consent manager dashboard.

Find out how the Sovy GDPR Privacy Essentials can help you. Get in touch to find out more information.