Marriott hack warning

The latest headline hack is a shocking reminder of the need for constant vigilance to protect organisations from malicious minds – and the risk of large regulatory fines.

The guest reservation database of the Starwood Hotel brand, part of the Marriott empire since 2016, has been breached – affecting the records of 500 million customers. This isn’t in fact the largest data breach of all time, although it is one of the biggest. What is particularly shocking is that there appears to have been unauthorised access to the Starwood network since 2014. That’s a long time for any hacker to be able to chip away at defences and access customers’ personal data.  

The Starwood database contained a variety of information on its guests, including dates of birth, passport numbers and even some encrypted payment card information. The potential for subsequent fraudulent activity is huge.

Although Marriott group is headquartered in the US, it still has to comply with the General Data Protection Regulation (GDPR) when dealing with citizens in the European Union. The UK’s Information Commissioner’s Office has confirmed its receipt of a data breach report from the Marriott group and that it is ‘making enquiries’.

The hotel chain’s response to the breach needs to be robust. However, if the group is found wanting in the data security measures it had in place, it could ultimately face a large fine. Where GDPR breaches are concerned, the ICO can issue a monetary penalty of up to 20 million Euros or 4% of the group’s total annual worldwide turnover in the preceding financial year, whichever is higher. Although in the case of Marriott, if the breach took place before GDPR came into effect, the maximum penalty could be limited to £500,000 – not an insignificant sum, even so.

Maintaining sound data protection policies and procedures is vital for every organisation in today’s world. Many hacks aren’t targeted. Any entity – large or small – could suffer a breach if they don’t maintain appropriate defences.

Please get in touch for help and advice on how to take practical data protection and cyber security measures.

Leave a comment

 Security code