Marriott International reveals further data breach affecting over five million guests worldwide

Marriott International have today announced a new data breach affecting 5.2 million customers worldwide, including those in the UK. 
 
While continuing to investigate the incident, Marriott state that the information taken is thought to include customers’ names, postal and email addresses, phone numbers, birthdays, gender, employers, loyalty account information, partnership and affiliation details (eg  for linked companies like airlines) and room preferences.  Marriott state that they do not currently believe that customers’ credit card information, passport numbers or driving licence information were accessed.
 
Marriott also state that the information was accessed using the login details of two employees at a franchised property and that it believes that the activity began in mid-January and was discovered at the end of February 2020.  The login credentials have now been disabled.
 
Marriott state that they are notifying affected guests by email (using the email address marriott@email-marriott.com) and have set up a dedicated website and call centre (08003457018 in the UK).
 
Marriott notified customers of a previous data breach in November 2018 that affected 339 million guest records globally, including seven million relating to UK residents.  On this occasion, the hacked information included a combination of customers’ names, postal and email addresses, phone numbers, passport numbers, Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences as well as encrypted payment card numbers and payment card expiration dates. Marriott also stated at the time that the two components needed to decrypt the payment card numbers may also have been taken.
 
In July 2019, the Information Commissioners Office (ICO), the UK’s data protection watchdog responsible for upholding the public’s information rights, issued a Notice of Intention to fine Marriott International  £99,200,396 for breach of the General Data Protection Regulation (GDPR) in relation to the incident.  Marriott are contesting the fine.
 
Sean Humber and Gene Matthews from law firm Leigh Day, who act for hundreds of clients whose personal details have been disclosed without their permission as a result of data breaches, both commented on the incident.
 
Sean Humber, data breach solicitor from law firm Leigh Day, commented:
 
“It beggars belief that Marriott have suffered a further data breach affecting millions of their customers’ personal details.  It is important that there is now a thorough independent investigation to establish what went wrong this time and why lessons do not appear to have been learnt from the last data breach.  If, as with the previous breach, it turns out that the data was hacked as a result of inadequate security systems then they are likely to face yet another stiff fine. “
 
Gene Matthews, data breach solicitor from law firm Leigh Day, added:
 
“Separate from any fine that Marriott may now face, those customers affected by this latest breach are likely to be entitled to compensation for the loss of control over their information as well as any distress and inconvenience caused or financial losses suffered.”