Marriott International said that there had been an incident at one of its franchise properties where “an unexpected amount of guest information may have been accessed”.
News of the breach on the same day that the Information Commissioner in the UK had been due to make a decision one whether a fine was due after Marriott International’s data breach in late 2018.
The company said that the information had been accessed using the login credentials of two employees, with the incident dating from mid-January.
Marriott International said that around 5.2 million guests might have been affected, with information including contact details, loyalty account information, additional personal details such as gender and birthday, partnerships and affiliations - such as linked airline loyalty programmes - and preferences including stay and room preferences.
The group said that it had no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s licence numbers.
Marriott said that it was sending emails to guests involved and had set up a dedicated website. It was also working with its insurers to assess coverage and said that it did not believe that its total costs related to this incident would be “significant”.
Thomas Page, global head of hotel & leisure Group, CMS, told us: “According to Marriott, the data breach was implemented using two employee logins at a franchise property. Unlike their previous data breach which was due to inadequate security protocols in their central systems, this data breach may be due to failures (or deliberate acts) by a third party who had legitimate access to Marriott’s systems.
“It will be interesting to see in such a situation to what extent regulators will focus any sanctions imposed on the franchisee, rather than on Marriott as franchisor. It does raise questions, however, as to the extent of franchisee’s access to Marriott systems and whether franchisees have access to more data than they need in order to carry out their role as franchisee.”
Last year saw the Information Commissioner's Office in the UK announce that it intended to fine Marriott International £99.2m for breaches of data protection law, after five million unencrypted passport numbers and eight million credit card records were exposed. The breach related to a reservations database acquired as part of the acquisition of Starwood Hotels & Resorts.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott International defended itself against the claim and the Information Commissioner’s Office was due to decide on 31 March what fine, if any, was due from the company. It then extended the deadline, with an ICO spokesperson telling us: “The regulatory process is ongoing.”
Marriott International CEO Arne Sorenson told a US Senate committee hearing last March that the company had not been away of the scale of the data issues at Starwood Hotels & Resorts prior to buying it in 2016, with the source of the breach unknown.
Sorenson told the Senate Permanent Subcommittee on Investigations: “As a company that prides itself on taking care of people, we recognise the gravity of this criminal attack on the Starwood guest reservation database and our responsibility for protecting data concerning our guests. To all of our guests, I sincerely apologise.”
Insight: The day that you’re due to hear whether you’re going to have to fork out £99.2m is very much not the day that you want to have to tell the world that you’ve have another data breach. The ICO was not forthcoming about why, or when, it decided to extend the deadline, but we imagine that Marriott International has, at the very least, some questions to answer.
It is unfortunate indeed, because Marriott International had a reputation for doing everything right when it came to technology, the very epitome of the safe and sober driver. It was let down by Starwood’s database - described to this hack as being “like a sieve” by someone close to it - and there was speculation that the rushed state of the takeover, where there was plenty of competition to acquire the more desirable parts of the company, meant that not all the stones were turned.
Now it has been let down again, this time at a franchise. You’re only as strong as your weakest link and all that, but when those weak links can deal such devastating blows to your business, it’s time to look at what can be done to shore up the foundation. Today’s consumer is nervous enough. Best not tip them over the edge when safety in all its forms will be paramount when choosing a hotel.