Marriott International said it had discovered there has been "unauthorised access" to its Starwood guest reservation database since 2014 after investigating a security incident that occurred on 8 September this year. It said "an unauthorised party had copied and encrypted information, and took steps towards removing it".
The breach is limited to Marriott International's Starwood database, which contains information on guests who stayed at hotels under the Starwood brand, which includes W Hotels, St. Regis, Sheraton Hotels & Resorts and Westin Hotels & Resorts, the company said.
The data accessed includes guests' names, addresses, phone numbers, passport numbers, date of birth, gender, arrival and departure information, reservation dates and, in some cases, payment card details. The Marriott said that while "the payment card numbers were encrypted" it has not yet been able to "rule out the possibility" that the two components needed to decrypt that information were taken.
Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said it was the latest major data breach to have been reported since the General Data Protection Regulation (GDPR) took effect in May this year. He said, though, that, like in the British Airways and Cathay Pacific cases, there is a question over whether the Marriott data breach would be investigated under the GDPR or under pre-GDPR legislation in Europe.
The UK's data protection authority, the Information Commissioner's Office (ICO), has previously confirmed to Pinsent Masons that data breach incidents which occur prior to 25 May 2018 will be considered under the Data Protection Act 1998 – the Act that applied until the GDPR, and new Data Protection Act 2018 in the UK, took effect on that date this year. None of the provisions in the GDPR will apply to incidents which occurred before 25 May 2018, it said.
"There is a paradox now where it is in a company's interests to emphasise the historic nature of a data security incident and state how long an incident has been running and how long systems have been exposed to seek to show that the GDPR should not apply," Birdsey said. "This reflects the size of the potential financial penalties that can be levied under the GDPR when compared to pre-GDPR legislation."
Birdsey said that there is also a growing trend towards group data protection and privacy claims being brought against businesses that experience data breaches. This presents a multi-million pound risk to companies, particularly where there is a large volume of data subjects affected by a breach, he said.
In its statement, Marriott International said it has reported the data breach to regulatory authorities and begun to notify affected guests. Individuals affected in the US, Canada and UK will be able to enrol to a free monitoring service which will flag when their personal data is shared on the internet, it said.
"Marriott deeply regrets this incident happened," it said. "From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call centre. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."