Marriott International breached again – 5.2 million guests’ personal data exposed

Marriott International Inc. announced on Tuesday that it suffered a new data breach earlier this year, exposing the personal data of 5.2 million guests. In a statement on its website, Marriott said that guests’ names, addresses, birthdays, emails, phone numbers and loyalty reward program numbers for the hotel chain and partner airlines could be compromised.

This comes not long after Marriott’s previous data breach in November 2018, which was caused by a cyber incident and affected the personal data of approximately 339 million guests’ records worldwide. The UK Information Commissioner’s Office (ICO) released a statement of its intention to fine Marriott International over £99 million in respect of this breach in July 2019, and the ICO is currently considering Marriott International’s representations in deciding whether to give a penalty notice, and the amount of the penalty if a penalty notice is given.

Marriott said it appears that the compromised data in this latest breach was accessed using the login credentials of two employees at a franchise hotel in Russia. It is thought that it may have something to do with the in-house app used by the hotels operated and franchised under Marriott’s brands, to help provide services to guests.

Upon discovering the breach, Marriott disabled the login credentials and began an investigation, implementing heightened monitoring and arranging resources to inform and assist guests. It has contacted the relevant guests who will be required to change their passwords, and a portal has been set up for any concerned guests to check whether they have been affected. Marriott has also notified the relevant authorities, who will in no doubt begin an investigation into the group and its data protection practices.

This latest breach highlights the importance of having sound commercial agreements within supply chains, especially where personal data is being transferred. Agreements should include warranties and indemnities in respect of data security (along with appropriate data processing and/or data sharing agreements), so that in the event of a data breach or cyber attack, it will be clear where liability falls and innocent parties will have contractual remedies to fall back on.

If you require any further information regarding data protection issues or cyber security advice, please get in touch with our Commercial team.