The UK’s data regulator has confirmed it is investigating the breach and has said it plans to fine the US hotel group Marriott International. Although the Marriott groups headquarters are in the US, it has to comply with the EUs GDPR rules when dealing with citizens in the EU.
Marriott International bought Starwood in 2016, creating the largest hotel chain in the world with more than 5,800 properties. Starwoods hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
The security incident was discovered in November 2018, when an internal investigation found an attacker had been able to access the Starwood network since 2014. Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an unauthorised party had copied and encrypted information, according to BBC.
It said it believed its database contained records of up to 500 million customers. The stolen info included details such as: name, address, phone number, email address, passport number, account information, date of birth, gender, and arrival and departure information.
Some records also included encrypted payment card information.
At that time, the company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now