Personal data including credit card details, passport numbers and the dates of birth of up to 500 million people has been stolen in a “colossal” hack of Marriott International.
The company said it first became aware of a security breach in early September, but that further investigation revealed unauthorised access to the guest reservation database dating back to 2014.
Marriot stated that the extent of the compromised data varied by guest.
But it included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences, as well as card numbers and expiration date.
Although credit card information was encrypted, Marriott has not been able to rule out the possibility that the encryption keys were also stolen.
The president and chief executive of Marriott International Arne Sorenson said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The data breach is likely to attract the attention of European regulators, both for the scale of the problem, and the delay in reporting it to the public.
The general data protection regulation (GDPR) allows for fines for data breaches of up to 4% of annual turnover; in Marriott’s case, that would imply a maximum fine of £117m.
Legal Notice: The information in this article is intended for information purposes only. It is not intended for professional information purposes specific to a person or an institution. Every institution has different requirements because of its own circumstances even though they bear a resemblance to each other. Consequently, it is your interest to consult on an expert before taking a decision based on information stated in this article and putting into practice. Neither MuhasebeNews nor related person or institutions are not responsible for any damages or losses that might occur in consequence of the use of the information in this article by private or formal, real or legal person and institutions.