Marriott International reveal huge data breach incident affecting 500 million guests worldwide
Leading data protection lawyer says those affected by the breach could be entitled to compensation for the distress and inconvenience caused, as well as any financial losses
Posted on 30 November 2018
Marriott International could face claims for compensation by customers in the UK after the US-based hotel chain announced that approximately 500 million guests worldwide have been affected by a data breach of its Starwood guest reservation database for those making reservations between 2014 and 10 September 2018.
Marriott International’s Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. This includes over a dozen Starwood hotels in the UK including the Sheraton Grand London Park Lane Hotel, the Sheraton Heathrow Hotel, the Trump Turnberry Resort and Le Meridien Piccadilly Hotel.
Marriott International have confirmed that for 327 million of the 500 million guests, the hacked information included a combination of their name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
They have also stated that “for some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
For the remaining guests, Marriott International state the information was limited to name and sometimes other data such as mailing address, email address, or other information.
Marriott have now apologised for the breach saying that “we fell short of what our guests deserve and what we expect of ourselves” and confirmed that they will be emailing affected guests on a rolling basis from today although do not indicate how long this is likely to take.
However, Sean Humber from law firm Leigh Day who acts for victims of data breaches said: “This is just the latest, and biggest, in a recent spate of worrying data breaches from companies handling their customers’ personal data online.
“This data breach seems to have affected some of the most prestigious hotels in the UK including the Sheraton Grand London Park Lane Hotel and the Trump Turnberry Resort, a hotel purchased by the Trump Organisation in 2014. Given that President Trump stayed at the Trump Turnberry Resort in July 2018, it seems likely that a number of very important people may have been affected by this data breach.
“The admission that, in some of these cases, guests’ payment card details have been taken make this even more serious. Marriott International now needs to contact those affected without delay.”
“If it turns out that the data was hacked as a result of inadequate security systems then those affected are likely to be entitled to compensation for the distress and inconvenience caused, as well as any financial losses they may have suffered.”